This repository has been archived by the owner on Jan 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 41
/
assets_origin.conf.erb
92 lines (77 loc) · 3.21 KB
/
assets_origin.conf.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
server {
server_name <%= @vhost_name -%> <%= @vhost_name -%>.* <%= @vhost_aliases.join(' ') -%>;
listen 80;
<% if @enable_ssl -%>
rewrite ^/(.*) https://$host/$1 permanent;
}
server {
server_name <%= @vhost_name -%> <%= @vhost_aliases.join(' ') -%>;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/<%= @vhost_name -%>.crt;
ssl_certificate_key /etc/nginx/ssl/<%= @vhost_name -%>.key;
include /etc/nginx/ssl.conf;
<% end -%>
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<% if @real_ip_header != '' -%>
# use an unspoofable header from an upstream cdn or l7 load balancer.
real_ip_header <%= @real_ip_header -%>;
real_ip_recursive on;
set_real_ip_from 0.0.0.0/0;
# Limit requests and connections based on $remote_addr.
# NB: This may not be accurate if there is a L3 load balancer upstream and
# real_ip_header cannot be set!
limit_req zone=rate burst=10 nodelay;
limit_conn connections 10;
<% end -%>
access_log /var/log/nginx/<%= @vhost_name -%>-json.event.access.log json_event;
error_log /var/log/nginx/<%= @vhost_name -%>-error.log;
add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Methods" "GET, OPTIONS";
add_header "Access-Control-Allow-Headers" "origin, authorization";
location /government/uploads/system/uploads/consultation_response_form/ {
add_header Cache-Control "public";
expires 1y;
rewrite ^/government/uploads/system/uploads/consultation_response_form/(.*)$ /government/uploads/system/uploads/consultation_response_form_data/$1;
}
<%- @app_specific_static_asset_routes.each do |alias_path, vhost_name| -%>
set $upstream_<%= vhost_name.delete "-" %> <%= @upstream_ssl ? 'https' : 'http' %>://<%= vhost_name %>.<%= @app_domain %>;
location <%= alias_path %> {
proxy_pass $upstream_<%= vhost_name.delete "-" %>;
}
<%- end -%>
set $upstream_asset_manager <%= @upstream_ssl ? 'https' : 'http' %>://asset-manager.<%= @app_domain %>;
<%- @asset_manager_uploaded_assets_routes.each do |path| -%>
location <%= path %> {
# Explicitly re-include Strict-Transport-Security header, this
# forces nginx not to clear Cache-Control headers further up the
# stack.
include /etc/nginx/add-sts.conf;
add_header "Access-Control-Allow-Origin" "*";
add_header "Access-Control-Allow-Methods" "GET, OPTIONS";
add_header "Access-Control-Allow-Headers" "origin, authorization";
proxy_pass $upstream_asset_manager;
}
<%- end -%>
set $upstream_whitehall <%= @upstream_ssl ? 'https' : 'http' %>://whitehall-frontend.<%= @app_domain %>;
<%- @whitehall_uploaded_assets_routes.each do |path| -%>
location <%= path %> {
proxy_pass $upstream_whitehall;
}
<%- end -%>
set $upstream_static <%= @upstream_ssl ? 'https' : 'http' %>://static.<%= @app_domain %>;
location = /static/a {
proxy_pass $upstream_static;
}
location /__canary__ {
proxy_pass $upstream_static;
}
location / {
proxy_pass $upstream_static;
}
location /googlec908b3bc32386239.html {
return 200 'google-site-verification: googlec908b3bc32386239.html';
}
}