upstream @prometheus { server MY_IP:9090; } upstream @alertmanager { server MY_IP:9093; } server { listen 80; listen [::]:80; server_name monitor.mydomain.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443; server_name monitor.mydomain.com; keepalive_timeout 75s 75s; #log_format timed_combined '$remote_addr - $remote_user [$time_local] ' #'"$request" $status $body_bytes_sent ' #'"$http_referer" "$http_user_agent" ' #'$request_time $upstream_response_time $pipe'; access_log /var/log/nginx/prometheus/access.log; # Perfect forward secrecy ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dhparams.pem; ssl_ciphers HIGH:!aNULL:!MD5; # HSTS add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl_certificate /etc/ssl/my-ssl.chained.crt; ssl_certificate_key /etc/ssl/my-ssl.com.key; error_log /var/log/nginx/prometheus/error.log; location /prometheus/ { gzip_types *; proxy_pass http://@prometheus/prometheus/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:443; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port 443; proxy_set_header X-Forwarded-Proto $scheme; } location /alertmanager/ { gzip_types *; proxy_pass http://@alertmanager/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host:443; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Port 443; proxy_set_header X-Forwarded-Proto $scheme; } location / { gzip_types *; return 301 /prometheus; } }