TAS Reverse Proxy

I would like to add a couple more nginx options to the defaults provided by the F1 documentation for future explorers.

### If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the 
### scheme used to connect to this server 
map $http_x_forwarded_proto $proxy_x_forwarded_proto { 
    default $http_x_forwarded_proto; 
    '' $scheme; 
} 

### If we receive X-Forwarded-Port, pass it through; otherwise, pass along the 
### server port the client connected to 
map $http_x_forwarded_port $proxy_x_forwarded_port { 
    default $http_x_forwarded_port; 
    '' $server_port; 
} 

### If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any 
### Connection header that may have been passed to this server 
map $http_upgrade $proxy_connection { 
    default upgrade; 
    '' close; 
} 

### Set appropriate X-Forwarded-Ssl header 
map $scheme $proxy_x_forwarded_ssl { 
    default off; 
    https on; 
} 

### Common NGINX defaults
listen 443 ssl http2;
server_name ifs.domain.name;
access_log /var/logs/nginx/ifs.log;
error_log /var/logs/nginx/ifs_error.log info;

### Set common proxy options 
 ## Disable buffering (Send to the client as soon as the data is received from IFS) 
proxy_buffering off;
proxy_redirect off;
 ## Set the timeouts depending on the usage of the IFS Applications.  
 ## The values should be correlated with the timeouts in the Middleware Server configuration_{instance}.xml file  
proxy_connect_timeout 60s; 
proxy_send_timeout 600s;
proxy_read_timeout 600s;

### Set proxy headers for IFS
proxy_set_header X-Real-IP $remote_addr; 
 ## If not using ngx_http_realip_module change '$http_x_forwarded_for,$realip_remote_addr' to $proxy_add_x_forwarded_for
proxy_set_header X-Forwarded-For '$proxy_add_x_forwarded_for,$realip_remote_addr';
 ## If $scheme does not work, try "$proxy_x_forwarded_proto"
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; 
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; 
 ## Websockets
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
 ## Mitigate httpproxy attack 
proxy_set_header Proxy ""; 

### Set common security headers
add_header Strict-Transport-Security max-age=15768000;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Frame-Options deny;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Permissions-Policy "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self)";
 ## WARNING: be very careful enabling the Content Security Policy... it will most likely break your IFS site
add_header Content-Security-Policy-Report-Only "default-src 'none'; base-uri 'self'; font-src 'self' data:; media-src 'self' data: blob:; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; worker-src * blob:; frame-src 'self'; connect-src 'self' https: wss:; object-src 'self'; frame-ancestors 'self'; form-action 'self'; manifest-src 'self'; script-src-elem 'self' 'unsafe-inline'";

### Parameters for SSL/TLS configuration (disable anything below TLSv2)
ssl_protocols TLSv1.3 TLSv1.2; 
ssl_prefer_server_ciphers on; 
 ## Ciphers should be same as the ciphers on Middleware Server configuration_{instance}.xml file 
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA 
 ## Location of Public certificate
ssl_certificate /etc/letsencrypt/live/ifs.domain.name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ifs.domain.name/privkey.pem;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
 ## If you have lot's of 500 errors, you can increase this to 8000
ssl_buffer_size 4000;

### If you run long queries, have complex quick reports, consider increasing this to 1800s (30 minutes)
send_timeout 600s; 

### Set the maximum allowed size of the client request body.  
### This should be set depending on the requests to the IFS Applications (eg: document upload or integrations body size) 
### If your uploads are small, you can decrease this to 25m
client_max_body_size 100m;

### Use gzip to compress common file types
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
gzip_disable "MSIE [1-6]\.";

### Redirect traffic from Reverse Proxy to IFS
location / {
 ## Please change the following line to point to your IFS instance syntax IP:PORT
 ## If your IFS instance is using/requiring https, you must change http:// to https://
    proxy_pass http://[INTERNAL-IFS-IP-ADDRESS]:[INTERNAL-IFS-PORT]/;
    proxy_set_header X-Forwarded-For $remote_addr;
 ## Disable the verification of the proxied HTTPS server certificate (eg: MWS certificate). 
 ## You can either use this NGINX flag, or add the custom certificate to the "ssl_trusted_certificate" file to avoid using this flag 
 ## Note: this might violate the corporate securtiy policy of the customer. 
    proxy_ssl_verify off;
    proxy_http_version 1.1;
    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 86400;
}