Finally, finally worked out how to make websockets work again 😢
This commit is contained in:
parent
1eeda880ed
commit
67c0c893ab
2 changed files with 48 additions and 36 deletions
bouncer
|
|
@ -62,6 +62,7 @@ These environment variables need to be applied to the CONSUMING SERVICE and not
|
|||
| BOUNCER_ALLOW_WEBSOCKETS | Defaults to enabled. Values are "yes" or "true", anything else is false | Enable websocket behaviour |
|
||||
| BOUNCER_ALLOW_LARGE_PAYLOADS | Defaults to disabled. | Allows overriding the default nginx payload size. Related to BOUNCER_MAX_PAYLOADS_MEGABYTES |
|
||||
| BOUNCER_MAX_PAYLOADS_MEGABYTES | numbers | Size of max payload to allow, in megabytes. Requires BOUNCER_ALLOW_LARGE_PAYLOADS to be enabled |
|
||||
| BOUNCER_PROXY_TIMEOUT_SECONDS | 60 | The timeout for the proxy to wait for a response from the service, in seconds. |
|
||||
| BOUNCER_CUSTOM_NGINX_CONFIG | Contents of nginx config file, optionally base64 encoded | Allows you to provide a custom nginx config file for this service. This will entirely replace the default config for this service. This is hella dangerous. |
|
||||
|
||||
## Security considerations
|
||||
|
|
|
|||
|
|
@ -1,71 +1,82 @@
|
|||
server {
|
||||
{% if allowNonSSL %}
|
||||
listen {{ portHttp }};
|
||||
listen [::]:{{ portHttp }};
|
||||
# Non-SSL Traffic is allowed
|
||||
listen {{ portHttp }};
|
||||
listen [::]:{{ portHttp }};
|
||||
{% endif %}
|
||||
listen {{ portHttps }} ssl;
|
||||
listen [::]:{{ portHttps }} ssl;
|
||||
server_name {{ serverName }};
|
||||
access_log /var/log/bouncer/{{ name }}.access.log;
|
||||
error_log /var/log/bouncer/{{ name }}.error.log;
|
||||
# SSL Traffic is allowed
|
||||
listen {{ portHttps }} ssl;
|
||||
listen [::]:{{ portHttps }} ssl;
|
||||
server_name {{ serverName }};
|
||||
access_log /var/log/bouncer/{{ name }}.access.log;
|
||||
error_log /var/log/bouncer/{{ name }}.error.log;
|
||||
|
||||
{% if certType == 'TEMPORARY_CERT' %}
|
||||
ssl_certificate /certs/example.crt;
|
||||
ssl_certificate_key /certs/example.key;
|
||||
ssl_certificate /certs/example.crt;
|
||||
ssl_certificate_key /certs/example.key;
|
||||
{% elseif certType == 'GLOBAL_CERT' %}
|
||||
ssl_certificate /certs/global.crt;
|
||||
ssl_certificate_key /certs/global.key;
|
||||
ssl_certificate /certs/global.crt;
|
||||
ssl_certificate_key /certs/global.key;
|
||||
{% elseif certType == 'CUSTOM_CERT' %}
|
||||
ssl_certificate /etc/nginx/sites-enabled/{{ customCertFile }};
|
||||
ssl_certificate_key /etc/nginx/sites-enabled/{{ customCertKeyFile }};
|
||||
ssl_certificate /etc/nginx/sites-enabled/{{ customCertFile }};
|
||||
ssl_certificate_key /etc/nginx/sites-enabled/{{ customCertKeyFile }};
|
||||
{% elseif certType == 'LETSENCRYPT_CERT' %}
|
||||
ssl_certificate /etc/letsencrypt/live/{{ name }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ name }}/privkey.pem;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ name }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ name }}/privkey.pem;
|
||||
{% endif %}
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
# ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
|
||||
{% if allowLargePayloads %}
|
||||
client_max_body_size 0;
|
||||
{% endif %}
|
||||
|
||||
location / {
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
{% if hasHostOverride %}
|
||||
proxy_set_header Host {{ hostOverride }};
|
||||
proxy_set_header Host {{ hostOverride }};
|
||||
{% else %}
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header Host $host;
|
||||
{% endif %}
|
||||
|
||||
# Server to send the request on to
|
||||
proxy_pass "{{ targetPath }}";
|
||||
|
||||
# Standard headers setting origin data
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
{% if hasAuth %}
|
||||
auth_basic "closed site";
|
||||
auth_basic_user_file sites-enabled/{{ authFile }};
|
||||
# Http Basic Auth
|
||||
auth_basic "closed site";
|
||||
auth_basic_user_file sites-enabled/{{ authFile }};
|
||||
{% endif %}
|
||||
|
||||
{% if allowWebsocketSupport %}
|
||||
# WebSocket support
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "upgrade";
|
||||
proxy_http_version 1.1;
|
||||
proxy_set_header Upgrade $http_upgrade;
|
||||
proxy_set_header Connection "Upgrade";
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
proxy_buffering off;
|
||||
proxy_set_header Origin "";
|
||||
{% endif %}
|
||||
|
||||
{% if proxyTimeoutSeconds %}
|
||||
proxy_read_timeout {{ proxyTimeoutSeconds }};
|
||||
proxy_connect_timeout {{ proxyTimeoutSeconds }};
|
||||
proxy_send_timeout {{ proxyTimeoutSeconds }};
|
||||
# Proxy timeouts
|
||||
proxy_read_timeout {{ proxyTimeoutSeconds }};
|
||||
proxy_connect_timeout {{ proxyTimeoutSeconds }};
|
||||
proxy_send_timeout {{ proxyTimeoutSeconds }};
|
||||
{% endif %}
|
||||
|
||||
proxy_pass {{ targetPath }};
|
||||
}
|
||||
}
|
||||
|
||||
{% if not allowNonSSL %}
|
||||
server {
|
||||
listen {{ portHttp }};
|
||||
listen [::]:{{ portHttp }};
|
||||
server_name {{ serverName }};
|
||||
return 301 https://$host$request_uri;
|
||||
# Redirect non-ssl to ssl
|
||||
listen {{ portHttp }};
|
||||
listen [::]:{{ portHttp }};
|
||||
server_name {{ serverName }};
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
{% endif %}
|
||||
|
|
|
|||
Loading…
Reference in a new issue