kx-waf/templates/nginx_template.j2

upstream {{ upstream_name }} {
    hash $remote_addr consistent;
    zone {{ zone }} 64k;
    server {{ backend1 }}:{{ backend1_port }}; # Use your own IP address
    server {{ backend2 }}:{{ backend2_port }};
    keepalive 120;
}

server {
   listen 80;
   server_name {{ URL }};
   return 301 https://{{ URL }}$request_uri;
}

server {
   listen 443 ssl;
   server_name {{ URL }};
   ssl_certificate  /etc/ssl/client/{{ URL }}.cer; # Client Supplied Certificate
   ssl_certificate_key  /etc/ssl/client/{{ URL }}.key; # Client Supplied Certificate
   ssl_prefer_server_ciphers on;
   ssl_protocols TLSv1.2 TLSv1.3;
   access_log /var/log/nginx/{{ URL }}.access.log main ;
   access_log syslog:server={{ SIEM_IP }}:514,tag=nginx,severity=info;
   error_log /var/log/nginx/{{ URL }}.error.log;
   error_log syslog:server={{ SIEM_IP }}:514,tag=nginx_error,severity=warn;
   status_zone {{ status_zone }};

### WAF Component ###
   include conf.d/00-waf_enable.conf;
### WAF Component ###

   location / {
        proxy_pass         http://{{ upstream_name }}/;
        proxy_set_header   Origin http{{ saml_yes }}://{{ URL }};
        proxy_hide_header  Access-Control-Allow-Origin;
        add_header         Access-Control-Allow-Origin $http_origin;
        proxy_set_header   Host {{ URL }}; # Required if Proxy Header is needed
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $remote_addr;

### Web Sockets (wss) ###
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
### Web Sockets (wss) ###
    }
}
Adding stuff 2024-12-18 11:46:51 +00:00			`upstream {{ upstream_name }} {`
			`hash $remote_addr consistent;`
			`zone {{ zone }} 64k;`
			`server {{ backend1 }}:{{ backend1_port }}; # Use your own IP address`
			`server {{ backend2 }}:{{ backend2_port }};`
			`keepalive 120;`
			`}`

			`server {`
			`listen 80;`
			`server_name {{ URL }};`
			`return 301 https://{{ URL }}$request_uri;`
			`}`

			`server {`
			`listen 443 ssl;`
			`server_name {{ URL }};`
			`ssl_certificate /etc/ssl/client/{{ URL }}.cer; # Client Supplied Certificate`
			`ssl_certificate_key /etc/ssl/client/{{ URL }}.key; # Client Supplied Certificate`
			`ssl_prefer_server_ciphers on;`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`access_log /var/log/nginx/{{ URL }}.access.log main ;`
			`access_log syslog:server={{ SIEM_IP }}:514,tag=nginx,severity=info;`
			`error_log /var/log/nginx/{{ URL }}.error.log;`
			`error_log syslog:server={{ SIEM_IP }}:514,tag=nginx_error,severity=warn;`
			`status_zone {{ status_zone }};`

			`### WAF Component ###`
			`include conf.d/00-waf_enable.conf;`
			`### WAF Component ###`

			`location / {`
			`proxy_pass http://{{ upstream_name }}/;`
			`proxy_set_header Origin http{{ saml_yes }}://{{ URL }};`
			`proxy_hide_header Access-Control-Allow-Origin;`
			`add_header Access-Control-Allow-Origin $http_origin;`
			`proxy_set_header Host {{ URL }}; # Required if Proxy Header is needed`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $remote_addr;`

			`### Web Sockets (wss) ###`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`
			`### Web Sockets (wss) ###`
			`}`
			`}`