Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision Next revision Both sides next revision | ||
tutorial:adm:server_preparation_tmp [2020/03/11 13:45] urbanl [Apache Tomcat configuration] |
tutorial:adm:server_preparation_tmp [2020/07/24 11:35] fiserp [mod_security configuration - CentOS8] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | <note important> | + | <note important> |
+ | |||
+ | **This tutorial is under development, | ||
Author: Ludek Urban | Author: Ludek Urban | ||
Line 5: | Line 7: | ||
- | ====== Server preparation - Linux ====== | + | ====== Server preparation - Linux - CentOS8 |
{{tag> | {{tag> | ||
- | This tutorial shows how to prepare the server for test or production | + | This tutorial shows how to prepare the server for test or production |
===== Basic system setup ===== | ===== Basic system setup ===== | ||
- | * 1 server (can be virtualized) for all: backend, frontend and database. | + | * 1 server (can be virtualized) for everything: backend, frontend and database. |
- | * OS Linux with EPEL repository enabled - CENTOS, basic network enabled installation | + | * OS Linux with EPEL repository enabled - CentOS, basic network enabled installation |
- | * It is possible to use Debian but you have to adjust | + | * It is possible to use Debian |
- | * PostgreSQL - installed from a new repository | + | * PostgreSQL |
- | * Java - distribution repository (OpenJDK 1.8) | + | * Java 11 - installed from OS packages. |
- | * Apache Tomcat - manually | + | * Apache Tomcat |
- | * Services | + | * Apache HTTPd 2.4.x - installed from OS packages. Can be replaced by nGinx. |
- | * Services run under dedicated | + | * All services |
+ | * Each service runs under dedicated non-privileged | ||
===== Instalation and software configuration ===== | ===== Instalation and software configuration ===== | ||
- | Prerequisities - Basic installation of CentOS | + | Prerequisities - Basic installation of CentOS |
<code bash> | <code bash> | ||
# EPEL installation | # EPEL installation | ||
- | yum clean all | + | dnf clean all |
- | yum install | + | dnf -y install |
- | yum update -y | + | dnf update -y |
# other recommended packages installation | # other recommended packages installation | ||
- | yum install | + | dnf -y install mc haveged nmap screen sysstat telnet |
# enable haveged after OS start | # enable haveged after OS start | ||
systemctl start haveged.service | systemctl start haveged.service | ||
systemctl enable haveged.service | systemctl enable haveged.service | ||
- | # remove unnecessary software | + | |
- | yum remove -y postfix | + | |
- | systemctl stop avahi-daemon.socket avahi-daemon.service | + | |
- | systemctl disable avahi-daemon.socket avahi-daemon.service | + | |
- | yum remove -y avahi-autoipd avahi | + | |
# set the hostname | # set the hostname | ||
hostnamectl set-hostname FQDN_server_name | hostnamectl set-hostname FQDN_server_name | ||
Line 45: | Line 45: | ||
</ | </ | ||
- | -!CHANGED | + | ===== PostgreSQL |
- | When installing to centos8, check and install these packages: | + | <note tip>If you are installing |
- | < | + | We install |
- | # check installed packages. It's recommanded to have them installed. | + | ==== Database server installation - CentOS8 ==== |
- | yum list installed | + | |
- | # other recommended packages installation | + | |
- | yum install -y mc haveged nmap screen sysstat telnet | + | |
- | </ | + | |
- | + | ||
- | When installing on Debian, install these packages: | + | |
- | < | + | |
- | screen dnsutils sysstat lsof haveged nmap tcpdump traceroute tcptraceroute curl iptables-persistent | + | |
- | </ | + | |
- | ===== PostgreSQL | + | |
- | <note tip>If you are install | + | |
- | CentOS8 default repository version of PostgreSQL | + | |
- | ==== Database server installation - CentOS8 | + | |
* Software installation on CentOS8(versions can vary): | * Software installation on CentOS8(versions can vary): | ||
<code bash> | <code bash> | ||
# enable module postgres 12 | # enable module postgres 12 | ||
- | yum module enable postgresql: | + | dnf module enable postgresql: |
- | yum install | + | dnf -y install |
</ | </ | ||
- | * create new system | + | * create new directory |
<code bash> | <code bash> | ||
- | mkdir -p / | ||
mkdir -p / | mkdir -p / | ||
chown -R postgres: | chown -R postgres: | ||
Line 79: | Line 65: | ||
</ | </ | ||
- | * Copy of the configuration file for systemd, in which we will make change of directory for data: | + | * Copy the PostgreSQL' |
<code bash> | <code bash> | ||
Line 91: | Line 77: | ||
</ | </ | ||
- | * In the file '' | + | * In the file '' |
< | < | ||
Line 108: | Line 94: | ||
<code bash> | <code bash> | ||
- | /usr/bin/postgresql-setup --initdb --unit postgresql | + | postgresql-setup --initdb --unit postgresql |
</ | </ | ||
Change SELINUX labels: | Change SELINUX labels: | ||
< | < | ||
- | chcon -Rt postgresql_db_t pgsql/ | + | chcon -Rt postgresql_db_t |
chcon -Rt postgresql_log_t / | chcon -Rt postgresql_log_t / | ||
</ | </ | ||
Line 155: | Line 141: | ||
</ | </ | ||
- | ==== Database server installation - Debian Stretch ==== | ||
- | Install the database from OS packages: | ||
- | < | ||
- | apt-get install postgresql-9.6 | ||
- | </ | ||
- | We will move the database - create directory structure: | ||
- | < | ||
- | mkdir -p / | ||
- | chown -R postgres: | ||
- | chmod -R 700 /data/pgsql | ||
- | </ | ||
- | Create the file .bash\_profile in postgres user's home (default / | ||
- | < | ||
- | PGDATA=/ | ||
- | </ | ||
- | Stop the database: | ||
- | < | ||
- | systemctl stop postgresql | ||
- | </ | ||
- | Move database directory (run this as root): | ||
- | < | ||
- | mv / | ||
- | </ | ||
- | In the PostgreSQL configuration file / | ||
- | < | ||
- | data_directory = '/ | ||
- | </ | ||
- | Enable and start the database: | ||
- | < | ||
- | systemctl start postgresql | ||
- | systemctl enable postgresql | ||
- | </ | ||
- | ==== DB server configuration -!CHANGED ==== | ||
- | First of all, enable | + | ==== Database server configuration and sizing ==== |
+ | |||
+ | * Enable | ||
In the file ''/ | In the file ''/ | ||
Line 196: | Line 151: | ||
host all | host all | ||
</ | </ | ||
- | + | and change the value at the end of each line to '' | |
- | and change the value at the end of each line into md5 like this: | + | |
< | < | ||
host all | host all | ||
Line 203: | Line 157: | ||
</ | </ | ||
- | Now we can do DB sizing. | + | * Adjust |
- | In a file ''/ | + | * In following snippet, we presume the system has 3GB of memory |
+ | * We also log queries running longer than 200ms. | ||
+ | In a file ''/ | ||
< | < | ||
- | max_connections = 100 # (change requires restart) | + | # This is an EXAMPLE. Use the calculator to adjust for your deployment! |
- | shared_buffers = 768MB # min 128kB | + | # DB Version: 12 |
+ | # OS Type: linux | ||
+ | # DB Type: web | ||
+ | # Total Memory (RAM): 3 GB | ||
+ | # Connections num: 100 | ||
+ | # Data Storage: ssd | ||
+ | max_connections = 100 | ||
+ | shared_buffers = 768MB | ||
effective_cache_size = 2304MB | effective_cache_size = 2304MB | ||
- | work_mem = 7864kB | ||
maintenance_work_mem = 192MB | maintenance_work_mem = 192MB | ||
- | |||
- | min_wal_size = 1GB | ||
- | max_wal_size = 2GB | ||
checkpoint_completion_target = 0.7 | checkpoint_completion_target = 0.7 | ||
wal_buffers = 16MB | wal_buffers = 16MB | ||
- | |||
default_statistics_target = 100 | default_statistics_target = 100 | ||
+ | random_page_cost = 1.1 | ||
+ | effective_io_concurrency = 200 | ||
+ | work_mem = 3932kB | ||
+ | min_wal_size = 1GB | ||
+ | max_wal_size = 4GB | ||
log_min_duration_statement = 200 | log_min_duration_statement = 200 | ||
</ | </ | ||
- | Restart | + | * Restart |
- | For Debian installation, | ||
< | < | ||
- | /etc/postgresql/ | + | systemctl restart |
- | / | + | |
</ | </ | ||
- | < | + | < |
- | ===== Java - CentOS8 | + | ===== Java - CentOS8 ===== |
- | Java must be installed | + | Tomcat application server needs Java installed. |
Installation: | Installation: | ||
- | < | + | < |
- | yum install -y java-11-openjdk-headless java-11-openjdk-devel | + | dnf install -y java-11-openjdk-headless java-11-openjdk-devel |
</ | </ | ||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
- | |||
- | ===== Java - Debian ===== | ||
- | |||
- | Java must be installed before Tomcat start. It is recommended to use OpenJDK (at least 1.8) from standard OS repository. | ||
- | |||
- | Installation: | ||
- | <code bash> | ||
- | apt-get install openjdk-8-jdk-headless openjdk-8-jre-headless | ||
- | </ | ||
- | |||
- | Then create the file ''/ | ||
- | <file bash java.sh> | ||
- | [ -d / | ||
- | </ | ||
===== Tomcat ===== | ===== Tomcat ===== | ||
- | * Create a new group and add user for the tomcat to run under (for Debian, use / | + | * Create a new group and add user for the tomcat to run under: |
< | < | ||
groupadd -r tomcat | groupadd -r tomcat | ||
- | useradd -r -s /bin/nologin -g tomcat -d /opt/tomcat tomcat | + | useradd -r -s /usr/sbin/nologin -g tomcat -d /opt/tomcat tomcat |
getent passwd tomcat | getent passwd tomcat | ||
- | tomcat: | + | #tomcat: |
</ | </ | ||
Line 279: | Line 223: | ||
</ | </ | ||
- | * Download Apache Tomcat 8.5.x from the website [[https:// | + | * Download Apache Tomcat 8.5.x from the website [[https:// |
- | * In our exapmle the version is 8.5.8. | + | * In our exapmle the version is 8.5.57. |
- | * extract files from archive: | + | * extract files from the archive: |
<code bash> | <code bash> | ||
- | tar xzf apache-tomcat-8.5.8.tar.gz | + | tar xzf apache-tomcat-8.5.57.tar.gz |
</ | </ | ||
Line 292: | Line 236: | ||
<code bash> | <code bash> | ||
cd /opt/tomcat | cd /opt/tomcat | ||
- | ln -s apache-tomcat-8.5.8 current | + | ln -s apache-tomcat-8.5.57 current |
</ | </ | ||
Line 302: | Line 246: | ||
chmod 750 /opt/tomcat | chmod 750 /opt/tomcat | ||
cd / | cd / | ||
- | chmod o+rX -R ./ | + | chmod -R o+rX ./ |
chgrp -R tomcat conf/ bin/ lib/ | chgrp -R tomcat conf/ bin/ lib/ | ||
- | chmod g+rwx conf | + | chmod g+rx conf |
chmod g+r conf/* | chmod g+r conf/* | ||
chown -R tomcat webapps/ work/ temp/ logs/ | chown -R tomcat webapps/ work/ temp/ logs/ | ||
Line 324: | Line 268: | ||
[Unit] | [Unit] | ||
Description=Apache Tomcat Web Application Container | Description=Apache Tomcat Web Application Container | ||
- | After=syslog.target network.target | + | After=syslog.target network.target |
[Service] | [Service] | ||
Line 347: | Line 291: | ||
WantedBy=multi-user.target | WantedBy=multi-user.target | ||
</ | </ | ||
+ | < | ||
+ | * Values of '' | ||
+ | * Tomcat will be started under user '' | ||
+ | </ | ||
- | * Values of Xms a Xmx se are closely dependent on server sizing. If you have enough memory it is strongly advised to use Xmx 6128M or more. | + | * Reload |
- | + | ||
- | * Tomcat will be started under user '' | + | |
- | * For Debian, change the JAVA\_HOME to '' | + | |
- | * After every systemd configuration | + | |
< | < | ||
systemctl daemon-reload | systemctl daemon-reload | ||
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
systemctl start tomcat | systemctl start tomcat | ||
+ | systemctl enable tomcat | ||
</ | </ | ||
+ | |||
* Check that Tomcat runs with desirable parameters: | * Check that Tomcat runs with desirable parameters: | ||
+ | |||
<code bash> | <code bash> | ||
- | [root@tomcat1 logs]# ps -u tomcat | + | [root@tomcat1 logs]# ps -ef | grep ^tomcat |
- | UID PID PPID C STIME TTY TIME CMD | + | tomcat |
- | tomcat | + | |
</ | </ | ||
- | | + | |
+ | | ||
< | < | ||
systemctl stop tomcat | systemctl stop tomcat | ||
- | </ | ||
- | * Enable tomcat start after OS start: | ||
- | <code bash> | ||
- | systemctl enable tomcat | ||
</ | </ | ||
Line 387: | Line 333: | ||
If you want to use them, it is necessary to do following steps. | If you want to use them, it is necessary to do following steps. | ||
- | First of all, create a database user that you will use for the access to those applications. If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. | + | First of all, create a Tomcat' |
- | + | ||
- | Create user like this: | + | |
- | Create the a new user in the file ''/ | + | * Create administration user |
- | The documentation of available roles as well as overall configuration of the application is a part of application installation available at http:// | + | * Create the a new user in the file ''/ |
+ | | ||
- | The file ''/ | + | The file ''/ |
<file xml tomcat-users.xml> | <file xml tomcat-users.xml> | ||
<?xml version=" | <?xml version=" | ||
Line 410: | Line 355: | ||
</ | </ | ||
- | If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. If you see '' | + | * If you plan to connect to the applications remotely (not only from localhost) you have to also allow communication from your IP. |
+ | * If you see '' | ||
- | Add your IP address into application configuration files. In files ''/ | + | Add your IP address into application configuration files. In files ''/ |
- | In my case, I want to access | + | For example, if you want to access Tomcat' |
<file xml context.xml> | <file xml context.xml> | ||
Line 424: | Line 370: | ||
</ | </ | ||
- | Again, restart the tomcat: | + | * Again, restart the tomcat |
<code bash> | <code bash> | ||
systemctl restart tomcat | systemctl restart tomcat | ||
</ | </ | ||
- | === Apache Tomcat configuration recommended for production | + | === Apache Tomcat configuration recommended for production |
- | It is advised | + | We advise |
- | * Remove unnecessary | + | * Remove unnecessary |
<code bash> | <code bash> | ||
Line 445: | Line 391: | ||
<Server port=" | <Server port=" | ||
</ | </ | ||
- | -! CHANGED | ||
* Make Tomcat listen only on localhost: | * Make Tomcat listen only on localhost: | ||
* In the ''/ | * In the ''/ | ||
- | * In same file configure ajp port('' | ||
- | | + | * Set the '' |
+ | * In the ''/ | ||
+ | |||
+ | * In same file configure AJP port ('' | ||
+ | |||
+ | < | ||
+ | < | ||
address=" | address=" | ||
secretRequired=" | secretRequired=" | ||
Line 457: | Line 407: | ||
port=" | port=" | ||
redirectPort=" | redirectPort=" | ||
+ | </ | ||
* Do not show aplication server version: | * Do not show aplication server version: | ||
- | * In the file ''/ | + | * In the file ''/ |
<code xml> | <code xml> | ||
Line 486: | Line 436: | ||
<file txt tomcat> | <file txt tomcat> | ||
/ | / | ||
- | rotate | + | rotate |
daily | daily | ||
dateext | dateext | ||
Line 510: | Line 460: | ||
* Adjust particular SELinux labels. Example ([[https:// | * Adjust particular SELinux labels. Example ([[https:// | ||
</ | </ | ||
- | |||
- | Please note that on Debian, the log is not rotate during the first day, but after the second day. | ||
Line 528: | Line 476: | ||
<code bash> | <code bash> | ||
yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | yum install -y httpd httpd-tools mod_ssl mod_security mod_security_crs | ||
- | </ | ||
- | |||
- | On Debian install those packages and allow modules: | ||
- | < | ||
- | apt-get install apache2 libapache2-mod-security2 modsecurity-crs | ||
- | a2enmod ssl | ||
- | a2enmod proxy | ||
- | a2enmod proxy_ajp | ||
- | a2enmod proxy_http | ||
- | a2enmod security2 | ||
- | a2enmod rewrite | ||
- | a2enmod headers | ||
</ | </ | ||
HTTPd basic configuration: | HTTPd basic configuration: | ||
- | Change MPM to worker | + | Change MPM to worker - in the file ''/ |
<code bash> | <code bash> | ||
Line 574: | Line 510: | ||
</ | </ | ||
- | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'server' to the real servername in the file ''/ | + | Virtualhost configuration to forward the communication from port 80 to 443. Add following section and change string 'SERVER' to the real servername in the file ''/ |
<code xml> | <code xml> | ||
< | < | ||
Line 582: | Line 518: | ||
</ | </ | ||
- | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ | + | Set the proxy in the virtualhost for https (443/tcp) - at the end of the file ''/ |
< | < | ||
+ | Protocols | ||
ProxyRequests | ProxyRequests | ||
ProxyPreserveHost on | ProxyPreserveHost on | ||
ProxyAddHeaders on | ProxyAddHeaders on | ||
- | ProxyPass / ajp:// | + | ProxyPass / ajp:// |
- | ProxyPassReverse / ajp:// | + | ProxyPassReverse / ajp:// |
</ | </ | ||
Line 607: | Line 544: | ||
</ | </ | ||
- | We also have to secure the communication. **Edit** corresponding lines in '' | + | Syntax check before httpd restart |
- | < | + | |
- | SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 | + | |
- | SSLCipherSuite ALL: | + | |
- | SSLHonorCipherOrder on | + | |
- | </ | + | |
- | < | + | |
- | + | ||
- | On Debian, create symlinks to sites-enabled: | + | |
- | < | + | |
- | cd / | + | |
- | ln -s ../ | + | |
- | ln -s ../ | + | |
- | </ | + | |
- | + | ||
- | Syntax check before httpd restart: | + | |
< | < | ||
httpd -t -D DUMP_VHOST | httpd -t -D DUMP_VHOST | ||
+ | # or apachectl configtest | ||
</ | </ | ||
Line 632: | Line 555: | ||
</ | </ | ||
+ | Allow in SELINUX to httpd connect to network: | ||
+ | < | ||
+ | / | ||
+ | </ | ||
+ | |||
Enable httpd after OS start: | Enable httpd after OS start: | ||
<code bash> | <code bash> | ||
Line 638: | Line 566: | ||
===== mod_security configuration ===== | ===== mod_security configuration ===== | ||
- | Mod_security files locations (on CentOS7): | + | Mod_security files locations (on CentOS8): |
* Audit log: ''/ | * Audit log: ''/ | ||
* Directory with activated rules: ''/ | * Directory with activated rules: ''/ | ||
- | * basic configuration file for mod\_security: | + | * basic configuration file for mod\_security: |
* The file for chosen rules deactivation: | * The file for chosen rules deactivation: | ||
Line 657: | Line 585: | ||
==== Disabling mod_security rules ==== | ==== Disabling mod_security rules ==== | ||
- | In the file ''/ | + | These rules are disabled for modsec_crs 3.0. |
+ | |||
+ | In the file ''/ | ||
<code xml> | <code xml> | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | | ||
+ | | ||
# Allow Czech signs | # Allow Czech signs | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
- | SecRuleRemoveById | + | SecRuleRemoveById |
| | ||
# Too restrictive for login format | # Too restrictive for login format | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
+ | |||
# Needed by Websockets | # Needed by Websockets | ||
< | < | ||
- | SecRuleRemoveById | + | SecRuleRemoveById |
</ | </ | ||
| | ||
- | # These break Certificate Authority module | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
- | # Modsec can throw false positives on some files due to multipart boundary check | ||
- | < | ||
- | SecRuleRemoveById 960915 | ||
- | SecRuleRemoveById 200003 | ||
- | </ | ||
- | |||
# do not log request/ | # do not log request/ | ||
SecAuditLogParts ABFHZ | SecAuditLogParts ABFHZ | ||
Line 695: | Line 615: | ||
</ | </ | ||
- | ==== mod_security configuration - CentOS7 | + | ==== mod_security configuration - CentOS8 |
- | In the file / | + | Edit the file '' |
- | Whole rule after the changes looks like this: | + | |
+ | * find the rule '' | ||
< | < | ||
- | SecAction | + | # Default HTTP policy: allowed_methods (rule 900200) |
- | "id:' | + | SecRule & |
- | phase:1, \ | + | "id:901160,\ |
- | | + | phase:1,\ |
- | setvar:' | + | pass,\ |
- | setvar:' | + | |
- | setvar:' | + | |
- | setvar:' | + | |
- | setvar:' | + | |
- | nolog, \ | + | |
- | pass" | + | |
</ | </ | ||
- | ==== mod_security configuration - Debian ==== | + | * find the rule '' |
- | Enable mod\_security configuration: | + | |
- | < | + | |
- | cd /etc/ | + | |
- | cp modsecurity.conf-recommended modsecurity.conf | + | |
- | </ | + | |
- | Uncomment following rules in the ''/ | ||
< | < | ||
- | SecAction \ | + | # Default HTTP policy: allowed_request_content_type (rule 900220) |
- | " | + | SecRule &TX:allowed_request_content_type "@eq 0" \ |
- | phase:1,\ | + | "id:901162,\ |
- | nolog,\ | + | phase:1,\ |
- | pass,\ | + | pass,\ |
- | t:none,\ | + | nolog,\ |
- | setvar:' | + | setvar:' |
- | + | ||
- | SecAction | + | |
- | " | + | |
- | phase:1,\ | + | |
- | | + | |
- | | + | |
- | | + | |
- | setvar:' | + | |
</ | </ | ||
Line 779: | Line 682: | ||
</ | </ | ||
- | ===== Workaround for slow HTTPD shutdown ===== | ||
- | In some RHEL/CentOS versions Apache HTTPD shutsdown or restarts itself very slowly. It is caused by [[https:// | ||
- | Workaround is to edit '''/ | ||
- | < | ||
- | KillMode=none | ||
- | </ | ||
- | Then reload systemd: | ||
- | |||
- | < | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | It is absolutely correct to create new versions of unity in /etc, that has the option: | ||
- | |||
- | < | ||
- | cp / | ||
- | vim / | ||
- | systemctl daemon-reload | ||
- | </ | ||
- | |||
- | The patch of httpd should come soon so the first option is OK too. | ||
- | |||
- | ===== SSO ===== | ||
- | |||
- | If you want to enable SSO to CzechIdM, additional configuration must be done with mod\_auth\_kerb. See [[tutorial: | ||
- | |||
- | ====== nginx as reverse proxy ====== | ||
- | |||
- | In case that you want to use nginx instead of Apache httpd, the configuration is as follows. | ||
- | |||
- | <code ini> | ||
- | server { | ||
- | listen | ||
- | server_name | ||
- | client_max_body_size 1G; | ||
- | ssl on; | ||
- | ssl_certificate | ||
- | ssl_certificate_key | ||
- | gzip on; | ||
- | gzip_proxied any; | ||
- | gzip_types | ||
- | text/css | ||
- | | ||
- | text/xml | ||
- | | ||
- | application/ | ||
- | | ||
- | application/ | ||
- | |||
- | location / { | ||
- | proxy_hide_header X-Frame-Options; | ||
- | add_header X-Frame-Options SAMEORIGIN; | ||
- | proxy_pass http:// | ||
- | proxy_set_header Host $host; | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header X-Forwarded-Proto " | ||
- | proxy_ssl_session_reuse off; | ||
- | proxy_redirect off; | ||
- | |||
- | # WebSocket support | ||
- | proxy_http_version 1.1; | ||
- | proxy_set_header Upgrade $http_upgrade; | ||
- | proxy_set_header Connection " | ||
- | } | ||
- | } | ||
- | </ | ||