htl-reverse-proxy-tls-lab/proxy/nginx.tls.example.conf

events {
  worker_connections 1024;
}

http {
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  sendfile on;
  server_tokens off;

  upstream backend_a {
    server backend-a:80;
  }

  upstream backend_b {
    server backend-b:80;
  }

  server {
    listen 80;
    server_name _;

    location = /healthz {
      default_type text/plain;
      return 200 "ok\n";
    }

    location / {
      return 301 https://$host:8443$request_uri;
    }
  }

  server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/certs/localhost.crt;
    ssl_certificate_key /etc/nginx/certs/localhost.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # max-age im Lab bewusst kurz (1h). In Produktion eher 1 Jahr (31536000).
    # includeSubDomains weitet HSTS auf alle Subdomains aus (Produktions-Best-Practice).
    # Achtung: HSTS bleibt im Browser host-weit haengen -> siehe Warnhinweis in Challenge 12.
    add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
    add_header Cross-Origin-Opener-Policy "same-origin" always;
    add_header Cross-Origin-Resource-Policy "same-origin" always;
    add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'" always;

    location / {
      root /usr/share/nginx/html;
      try_files $uri $uri/ /index.html;
    }

    location /service/a {
      proxy_pass http://backend_a/;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /service/b {
      proxy_pass http://backend_b/;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }
}