nginx.conf

error_log /dev/stderr error;

env LOG_UUID;
env HTTPS_REDIRECT_PORT_STRING;
env ALLOW_COUNTRY_CSV;
env VERBOSE_ERROR_PAGES;
env FEEDBACK_EMAIL;

load_module modules/ngx_http_geoip2_module.so;

http {
    include /usr/local/openresty/nginx/conf/nginx_statsd_server.conf;

    # get CN
    map $ssl_client_s_dn $ssl_client_s_dn_cn {
        default "should_not_happen";
        ~/CN=(?<CN>[^/]+) $CN;
    }
    include /usr/local/openresty/naxsi/*.rules;
    include /usr/local/openresty/nginx/conf/resolver.conf;
    include /usr/local/openresty/nginx/conf/nginx_rate_limits*.conf;
    include /usr/local/openresty/nginx/conf/nginx_geoip_init.conf;
    include mime.types;
    default_type application/octet-stream;

    lua_package_path 'conf/?.lua;./nginx/lua/?.lua;;';

    # Compression

    # Enable Gzip compressed.
    gzip on;

    # Compression level (1-9).
    # 5 is a perfect compromise between size and cpu usage, offering about
    # 75% reduction for most ascii files (almost identical to level 9).
    gzip_comp_level    5;

    # Don't compress anything that's already small and unlikely to shrink much
    # if at all (the default is 20 bytes, which is bad as that usually leads to
    # larger files after gzipping).
    gzip_min_length    256;

    # Compress data even for clients that are connecting to us via proxies,
    # identified by the "Via" header (required for CloudFront).
    gzip_proxied       any;

    # Tell proxies to cache both the gzipped and regular version of a resource
    # whenever the client's Accept-Encoding capabilities header varies;
    # Avoids the issue where a non-gzip capable client (which is extremely rare
    # today) would display gibberish if their proxy gave them the gzipped version.
    gzip_vary          on;

    # Compress all output labeled with one of the following MIME-types.
    gzip_types
      application/atom+xml
      application/javascript
      application/json
      application/ld+json
      application/manifest+json
      application/rss+xml
      application/vnd.geo+json
      application/vnd.ms-fontobject
      application/x-font-ttf
      application/x-web-app-manifest+json
      application/xhtml+xml
      application/xml
      font/opentype
      image/bmp
      image/svg+xml
      image/x-icon
      text/cache-manifest
      text/css
      text/plain
      text/vcard
      text/vnd.rim.location.xloc
      text/vtt
      text/x-component
      text/x-cross-domain-policy;
    # text/html is always compressed by HttpGzipModule

    include /usr/local/openresty/nginx/conf/logging.conf;
    include /usr/local/openresty/nginx/conf/upload_size*.conf;
    include /usr/local/openresty/nginx/conf/nginx_http_extras*.conf;

    include /usr/local/openresty/nginx/conf/security_defaults.conf;

  # Accept underscores in headers as NAXSI does this
  underscores_in_headers on;

  server {
    include /usr/local/openresty/nginx/conf/nginx_statsd_metrics.conf;
    include /usr/local/openresty/nginx/conf/response_body.conf;
        # Optionally listen to proxy protocol:
        include  /usr/local/openresty/nginx/conf/nginx_listen.conf;

        # These should be volume added:
        include /usr/local/openresty/nginx/conf/server_certs.conf;

        # Optionally include client cert config:
        include /usr/local/openresty/nginx/conf/client_certs*.conf;

        # Set the correct host name from the request header...
        server_name $host;
        # Dont publish the version we are running
        server_tokens off;

        set_by_lua_file $https_port_string lua/get_env.lua 'HTTPS_REDIRECT_PORT_STRING';
        # Will redirect requests not on https if HTTPS_REDIRECT=TRUE (the default)
        include /usr/local/openresty/nginx/conf/ssl_redirect.conf ;

        # Will set $country_code variables:
        set $country_code '??';

        include /usr/local/openresty/nginx/conf/nginx_server_extras*.conf ;
        include /usr/local/openresty/nginx/conf/nginx_geoip.conf;

        set $uuid_log_opt '';
        set $uuid '';
        # Generate a unique ID for use in logs for passing onto applications
        set_by_lua_file $uuidopt /usr/local/openresty/nginx/lua/set_uuid.lua;

        location /nginx-proxy/ {
            alias /usr/local/openresty/nginx/html/;
            ssi on;
            error_page 404 /nginx-proxy/404.shtml;
            allow all;
        }
        location /ping {
            return 200;
        }

        location /RequestDenied {
            # Proxy to ourselves in order to access NAXSI debugging headers
            proxy_pass https://127.0.0.1:$https_listen_port/nginx-proxy/RequestDenied;
            internal;
        }

        location /nginx-proxy/RequestDenied {
            # Debug information now available in headers ($http_x_naxsi_sig etc.)
            # Return a 418 (Teapot) status
            set_by_lua_file $verbose_error_pages lua/get_env.lua 'VERBOSE_ERROR_PAGES';
            set_by_lua_file $feedback_email lua/get_env.lua 'FEEDBACK_EMAIL';
            error_page 418 /nginx-proxy/418-request-denied.shtml;
            return 418;
        }

        include /usr/local/openresty/nginx/conf/locations/*.conf ;
    }

    include /usr/local/openresty/nginx/conf/nginx_sysdig_server.conf ;
}
events {
}