# NGINX.conf

http {
    include                   mime.types;
    server_tokens             off;
    ignore_invalid_headers    on;
    sendfile                  on;
    tcp_nopush                on;
    open_file_cache           max=100 inactive=300s;

    proxy_cache_key           $scheme$proxy_host$request_uri;
    proxy_temp_path           /var/tmp/nginx/temp 1 2;

    proxy_cache_valid         200 302 1h;
    proxy_cache_valid         any     1m;

ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!EXPORT:!DES:!3DES:!MD5:!DSS;
    ssl_prefer_server_ciphers on;
    ssl_protocols             TLSv1.2;
    ssl_session_cache         shared:SSLresumption:10m;
    ssl_session_timeout       10m;

##### For RLB

upstream WAF01 {
    ip_hash;
    server 192.0.2.11:80 max_fails=3 fail_timeout=300;
    server 192.0.2.12:80 max_fails=3 fail_timeout=300;

}

upstream WWW_EXAMPLE.COM {
    server 203.0.113.101:80 max_fails=3 fail_timeout=300;
    server 203.0.113.102:80 max_fails=3 fail_timeout=300;
}

upstream WWW_EXAMPLE.NET {
    server 203.0.113.111:80 max_fails=3 fail_timeout=300;
    server 203.0.113.112:80 max_fails=3 fail_timeout=300;
}

proxy_cache_path /var/tmp/nginx/cache/EXAMPLE_COM levels=1:2 keys_zone=EXAMPLE_COM:60m max_size=4000m inactive=8h;
proxy_cache_path /var/tmp/nginx/cache/EXAMPLE_NET levels=1:2 keys_zone=EXAMPLE_NET:60m max_size=4000m inactive=8h;

server { #RLB Configuration
    listen      198.51.100.1:80:
    server_name www.example.com;
    error_log   /var/log/nginx/example_com_error.log error;
    access_log  /var/log/nginx/example_com_access.log;

    location / {
        return 301 https://$host$request_uri;
    }
}

server { #RLB Configuration
    listen      198.51.100.1:443 ssl http2;
    server_name www.example.com;
    error_log   /var/log/nginx/example_com_ssl_error.log error;;
    access_log  /var/log/nginx/example_com_ssl_access.log;

    ssl_certificate     /usr/local/etc/Certs/www.example.com.cert;
    ssl_certificate_key /usr/local/etc/Certs/www.example.com.key;

    location / {
        proxy_pass        http://WAF01;
        proxy_cache       EXAMPLE.COM;
        proxy_cache_valid 200 302     1440m;
        proxy_cache_valid 404         1m;
        proxy_cache_valid 500 502 504 1m;
        proxy_set_header          Host $host;
        proxy_set_header          X-Forwarded-Host $host;
        proxy_set_header          X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header          X-Forwarded-Proto $scheme;
        proxy_set_header          X-Real-IP $remote_addr;
        proxy_set_header          X-WAF-URL-FLAG $scheme://$host:$server_port;
    }
}

....

##### For DLB
map $http_X_WAF_URL_FLAG $MYUPSTREAM {
    https://www.example.com:443 http://WWW_EXAMPLE_COM;		# ここには、upstreamを記載する
    https://www.example.net:443 http://WWW_EXAMPLE_NET;		# ここには、upstreamを記載する
}

server { #DLB
    listen 192.0.2.11:10080 accept_filter=httpready;
    server_name DLB1;
    error_log   /var/log/nginx/dlb01.err error;
    access_log  /var/log/nginx/dlb01.acc;

    location / {
        proxy_pass        $MYUPSTREAM;
        proxy_pass_header X-Accel-Buffering;
        proxy_set_header  Host $http_x_forwarded_host;
        proxy_set_header  X-WAF-URL-FLAG  "";
        proxy_set_header  X-Forwarded-Host $http_host;
        proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}