Note: These parameters are not intended to be a complete NGINX proxy configuration, but should be considered as a starting point/checklist of viable parameters that IFS Applications depend on. Other NGINX parameter settings and values should also be considered based on customer requirements.
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto; '' $scheme; } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { default $http_x_forwarded_port; '' $server_port; } # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { default upgrade; '' close; } # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { default off; https on; } # Set Headers proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; proxy_set_header Proxy ""; # Mitigate httpoxy attack # HTTP 1.1 support proxy_http_version 1.1; # Disable buffering of responses from the proxied server. proxy_buffering off; # Parameters for SSL/TLS configuration ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; # Ciphers should be same as the ciphers on Middleware Server configuration_{instance}.xml file ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4; # Disable the verification of the proxied HTTPS server certificate (eg: MWS certificate). # Note: this might violate the corporate securtiy policy of the customer. proxy_ssl_verify off; # Set the timeouts depending on the usage of the IFS Applications. # The values should be correlated with the timeouts in the Middleware Server configuration_{instance}.xml file proxy_connect_timeout 60s; proxy_send_timeout 600s; proxy_read_timeout 600s; send_timeout 600s; # Set the maximum allowed size of the client request body. # This should be set depending on the requests to the IFS Applications (eg: document upload or integrations body size) client_max_body_size 50m;