forked from NVIDIA-AI-Blueprints/vulnerability-analysis
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx_cache.conf
120 lines (88 loc) · 4.95 KB
/
nginx_cache.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
worker_processes auto;
events {
worker_connections 1024;
}
http {
proxy_ssl_server_name on;
proxy_cache_path /server_cache_llm levels=1:2 keys_zone=llm_cache:10m max_size=20g inactive=14d use_temp_path=off;
proxy_cache_path /server_cache_intel levels=1:2 keys_zone=intel_cache:10m max_size=20g inactive=14d use_temp_path=off;
error_log /dev/stdout info;
log_format upstream_time '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
log_format cache_log '[$time_local] ($upstream_cache_status) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization';
log_format no_cache_log '[$time_local] (BYPASSED) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization';
log_format mirror_log '[$time_local] (MIRROR) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization';
log_format nvai_cache_log '[$time_local] ($upstream_cache_status) "$request" $status - $body_bytes_sent bytes {$remote_addr} "$http_user_agent" $request_time - $connection_requests. Auth: $http_authorization. Final Auth: $nvai_http_authorization';
include /etc/nginx/conf.d/variables/*.conf;
map $http_cache_control $cache_bypass {
no-cache 1;
}
# Log to stdout and a file for searchability
access_log /dev/stdout cache_log;
access_log /var/log/nginx/access.log cache_log;
error_log /dev/stdout info;
error_log /var/log/nginx/error.log info;
server {
listen 80;
server_name localhost;
proxy_http_version 1.1;
# Headers to Add
# proxy_set_header Host $host;
proxy_set_header Connection '';
# Headers to Remove
proxy_ignore_headers Cache-Control;
proxy_ignore_headers "Set-Cookie";
proxy_hide_header "Set-Cookie";
# Proxy Buffer Config
proxy_busy_buffers_size 1024k;
proxy_buffers 4 512k;
proxy_buffer_size 1024k;
# Proxy validity
proxy_cache_valid 200 202 14d;
proxy_read_timeout 8m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_cache_bypass $cache_bypass;
# Configure a resolver to use for DNS resolution. This uses the Docker DNS resolver
# See https://tenzer.dk/nginx-with-dynamic-upstreams/ for why this is necessary
# When considering what the "base_url" should be, consider the following:
# - The base_url should be the unchangable part of the URL for any request tho that API
# - If the API uses versioning, the version should be included in the base_url
# - If the API is a subpath of a larger API, the base_url should be the path to the API
# - Examples:
# - GET `https://api.first.org/data/v1/epss` => base_url=`https://api.first.org/data/v1`
# - GET `https://services.nvd.nist.gov/rest/json/cves/2.0` => base_url=`https://services.nvd.nist.gov/rest`
resolver 127.0.0.11 [::1]:5353 valid=60s;
# rewrite_log on;
################ Docker Compose Services #################
# Force nginx to resolve morpheus-vuln-analysis each call to allow starting this before starting the service
set $morpheus_vuln_analysis_upstream "http://morpheus-vuln-analysis:26466";
location /scan {
proxy_pass $morpheus_vuln_analysis_upstream;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
# Include any additional routes from the routes directory
include /etc/nginx/conf.d/routes/*.conf;
################### Redirect Handling ####################
location @handle_redirects {
# store the current state of the world so we can reuse it in a minute
# We need to capture these values now, because as soon as we invoke
# the proxy_* directives, these will disappear
set $original_uri $uri;
set $orig_loc $upstream_http_location;
# nginx goes to fetch the value from the upstream Location header
proxy_pass $orig_loc;
proxy_cache llm_cache;
# But we store the result with the cache key of the original request URI
# so that future clients don't need to follow the redirect too
proxy_cache_key $original_uri;
proxy_cache_valid 200 206 14d;
}
}
}