cloudron-box/src/nginxconfig.ejs

# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# http server
server {
    listen       80;
<% if (hasIPv6) { -%>
    listen       [::]:80;
<% } -%>

<% if (vhost) { -%>
    server_name  <%= vhost %>;
<% } else { -%>
    # IP based access from collectd or initial cloudron setup. TODO: match the IPv6 address
    server_name  "~^\d+\.\d+\.\d+\.\d+$";

    # collectd
    location /nginx_status {
        stub_status on;
        access_log off;
        allow 127.0.0.1;
        deny all;
    }
<% } -%>

    # acme challenges (for cert renewal where the vhost config exists)
    location /.well-known/acme-challenge/ {
        default_type text/plain;
        alias /home/yellowtent/platformdata/acme/;
    }

    location / {
        # redirect everything to HTTPS
        return 301 https://$host$request_uri;
    }
}

# https server
server {
<% if (vhost) { -%>
    server_name  <%= vhost %>;
    listen       443 ssl http2;
<% if (hasIPv6) { -%>
    listen       [::]:443 ssl http2;
<% } -%>
<% } else { -%>
    listen       443 ssl http2 default_server;
<% if (hasIPv6) { -%>
    listen       [::]:443 ssl http2 default_server;
<% } -%>
<% } -%>

    # paths are relative to prefix and not to this file
    ssl_certificate      <%= certFilePath %>;
    ssl_certificate_key  <%= keyFilePath %>;
    ssl_session_timeout  5m;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    # https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices#25-use-forward-secrecy
    # ciphers according to https://ssl-config.mozilla.org/#server=nginx&version=1.14.0&config=intermediate&openssl=1.1.1&guideline=5.4
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers off;

    ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
    add_header Strict-Transport-Security "max-age=15768000";

    # https://github.com/twitter/secureheaders
    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    add_header X-XSS-Protection "1; mode=block";
    proxy_hide_header X-XSS-Protection;
    add_header X-Download-Options "noopen";
    proxy_hide_header X-Download-Options;
    add_header X-Content-Type-Options "nosniff";
    proxy_hide_header X-Content-Type-Options;
    add_header X-Permitted-Cross-Domain-Policies "none";
    proxy_hide_header X-Permitted-Cross-Domain-Policies;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    proxy_hide_header Referrer-Policy;

    # gzip responses that are > 50k and not images
    gzip on;
    gzip_min_length 50k;
    gzip_types text/css text/javascript text/xml text/plain application/javascript application/x-javascript application/json;

    # enable for proxied requests as well
    gzip_proxied any;

<% if ( endpoint === 'admin' ) { -%>
    # CSP headers for the admin/dashboard resources
    add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
<% } else { %>
    <% if (cspQuoted) { %>
    add_header Content-Security-Policy <%- cspQuoted %>;
    <% } %>

    <% for (var i = 0; i < hideHeaders.length; i++) { -%>
    proxy_hide_header <%- hideHeaders[i] %>;
    <% } %>
<% } -%>

    proxy_http_version 1.1;
    # intercept errors (>= 400) and use the error_page handler
    proxy_intercept_errors on;
    # nginx will return 504 on connect/timeout errors
    proxy_read_timeout       3500;
    proxy_connect_timeout    3250;

    proxy_set_header   Host               $host;
    proxy_set_header   X-Forwarded-For    $remote_addr;
    proxy_set_header   X-Forwarded-Host   $host;
    proxy_set_header   X-Forwarded-Port   $server_port;
    proxy_set_header   X-Forwarded-Proto  https;
    proxy_set_header   X-Forwarded-Ssl    on;

    # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    # only serve up the status page if we get proxy gateway errors
    root <%= sourceDir %>/dashboard/dist;
    # some apps use 503 to indicate updating or maintenance
    error_page 502 504 /app_error_page;
    location /app_error_page {
        root /home/yellowtent/boxdata;
        # the first argument looks for file under the root
        try_files /custom_pages/$request_uri /custom_pages/app_not_responding.html /appstatus.html;
        # internal means this is for internal routing and cannot be accessed as URL from browser
        internal;
    }

    location @wellknown-upstream {
<% if ( endpoint === 'admin' ) { %>
        proxy_pass http://127.0.0.1:3000;
<% } else if ( endpoint === 'app' ) { %>
        proxy_pass http://127.0.0.1:<%= port %>;
<% } else if ( endpoint === 'redirect' ) { %>
        return 302 https://<%= redirectTo %>$request_uri;
<% } %>
    }

    # user defined .well-known resources
    location ~ ^/.well-known/(.*)$ {
        root /home/yellowtent/boxdata/well-known/$host;
        try_files /$1 @wellknown-upstream;
    }

    location / {
        # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
        proxy_buffer_size       128k;
        proxy_buffers           4 256k;
        proxy_busy_buffers_size 256k;

        # No buffering to temp files, it fails for large downloads
        proxy_max_temp_file_size 0;

        # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
        client_max_body_size 0;

<% if (robotsTxtQuoted) { %>
        location = /robots.txt {
            return 200 <%- robotsTxtQuoted %>;
        }
<% } %>

<% if ( endpoint === 'admin' ) { %>
        location /api/ {
            proxy_pass   http://127.0.0.1:3000;
            client_max_body_size 1m;
        }

        location ~ ^/api/v1/(developer|session)/login$ {
            proxy_pass   http://127.0.0.1:3000;
            client_max_body_size 1m;
            limit_req zone=admin_login burst=5;
        }

        # the read timeout is between successive reads and not the whole connection
        location ~ ^/api/v1/apps/.*/exec$ {
            proxy_pass   http://127.0.0.1:3000;
            proxy_read_timeout 30m;
        }

        location ~ ^/api/v1/apps/.*/upload$ {
            proxy_pass   http://127.0.0.1:3000;
            client_max_body_size 0;
        }

        # graphite paths (uncomment block below and visit /graphite-web/dashboard)
        # remember to comment out the CSP policy as well to access the graphite dashboard
        # location ~ ^/graphite-web/ {
        #     proxy_pass   http://127.0.0.1:8417;
        #     client_max_body_size 1m;
        # }

        location / {
            root   <%= sourceDir %>/dashboard/dist;
            index  index.html index.htm;
        }
<% } else if ( endpoint === 'app' ) { %>
        proxy_pass http://127.0.0.1:<%= port %>;
<% } else if ( endpoint === 'redirect' ) { %>
        # redirect everything to the app. this is temporary because there is no way
        # to clear a permanent redirect on the browser
        return 302 https://<%= redirectTo %>$request_uri;
<% } %>
    }
}