From 96099b52d51e112a181c5250345877e0cb5b0082 Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Thu, 22 Apr 2021 22:31:23 +0200
Subject: [PATCH 1/3] Update nginx config with info on how to enable response
 compression.

---
 conf/nginx/st2.conf | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index c7ec3268d2..dff0c78e9f 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -60,7 +60,7 @@ server {
     error_page 502 = @apiError;
 
     rewrite ^/api/(.*)  /$1 break;
-    
+
     proxy_pass            http://127.0.0.1:9101/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
@@ -76,6 +76,13 @@ server {
     proxy_cache off;
     proxy_set_header Host $host;
     max_ranges 0;
+
+    # In a lot of scenarios, it may be beneficial to enable response compression (especially when
+    # working with large executions and StackStorm instance is accessed over public internet).
+    # To enable it, uncomment the lines below and adjust according to your needs.
+    # gzip on;
+    # gzip_min_length 1024;
+    # gzip_types text/plain application/json text/event-stream;
   }
 
   location @streamError {
@@ -102,7 +109,7 @@ server {
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
-    
+
     # Disable buffering and chunked encoding.
     # In the stream case we want to receive the whole payload at once, we don't
     # want multiple chunks.
@@ -111,6 +118,14 @@ server {
     proxy_buffering off;
     proxy_cache off;
     max_ranges 0;
+
+    # In a lot of scenarios, it may be beneficial to enable response compression (especially when
+    # working with large executions and StackStorm instance is accessed over public internet).
+    # To enable it, uncomment the lines below and adjust according to your needs.
+    # gzip on;
+    # gzip_min_length 1024;
+    # gzip_types text/plain application/json text/event-stream;
+    # gzip_proxied no-cache no-store private expired auth;
   }
 
   location @authError {
@@ -122,7 +137,7 @@ server {
     error_page 502 = @authError;
 
     rewrite ^/auth/(.*)  /$1 break;
-    
+
     proxy_pass            http://127.0.0.1:9100/;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;

From b82a5feb6fb90c04af319c3649460c8b12a7d34d Mon Sep 17 00:00:00 2001
From: Tomaz Muraus <tomaz@tomaz.me>
Date: Thu, 22 Apr 2021 23:12:52 +0200
Subject: [PATCH 2/3] Also add an example on using TLS 1.3.

---
 conf/nginx/st2.conf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index dff0c78e9f..80b1d7a3a1 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -36,6 +36,8 @@ server {
   ssl_certificate_key       /etc/ssl/st2/st2.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
+  # If your version of OpenSSL supports it, you are strongly recommended to also (or only) use TLS v1.3
+  #ssl_protocols             TLSv1.2 TLSv1.3;
   ssl_protocols             TLSv1.2;
   ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;

From 9d8401c4eb7597a8f409b32fba620f42ca267d1a Mon Sep 17 00:00:00 2001
From: Eugen Cusmaunsa <stackstorm@armab.io>
Date: Fri, 11 Jun 2021 20:57:04 +0100
Subject: [PATCH 3/3] Update conf/nginx/st2.conf

---
 conf/nginx/st2.conf | 2 --
 1 file changed, 2 deletions(-)

diff --git a/conf/nginx/st2.conf b/conf/nginx/st2.conf
index 80b1d7a3a1..dff0c78e9f 100644
--- a/conf/nginx/st2.conf
+++ b/conf/nginx/st2.conf
@@ -36,8 +36,6 @@ server {
   ssl_certificate_key       /etc/ssl/st2/st2.key;
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
-  # If your version of OpenSSL supports it, you are strongly recommended to also (or only) use TLS v1.3
-  #ssl_protocols             TLSv1.2 TLSv1.3;
   ssl_protocols             TLSv1.2;
   ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;