-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
156 lines (146 loc) · 8.02 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
{{ $dciphers := "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" }}
{{ $v := dict "$" $ }}
{{ $v := merge $v ( dict "Env" .Env) }}
{{ $v := merge $v ( dict "port" ( .Env.PORT | default "8080" ) ) }}
{{ $v := merge $v ( dict "sport" ( .Env.SPORT | default "8443" ) ) }}
{{ $v := merge $v ( dict "certspath" ( .Env.SSL_CERTS_PATH | default "/certs" ) ) }}
{{ $v := merge $v ( dict "cert" ( .Env.SSL_CERT_PATH | default ( print $v.certspath "/cert.crt" )) ) }}
{{ $v := merge $v ( dict "key" ( .Env.SSL_KEY_PATH | default ( print $v.certspath "/cert.key" )) ) }}
{{ $v := merge $v ( dict "diffie" ( .Env.NGINX_DH_FILE | default ( print $v.certspath "/dhparams.pem" )) ) }}
{{ $v := merge $v ( dict "nossl" ( .Env.NO_SSL | default "1" ) ) }}
{{ $v := merge $v ( dict "server_name" ( .Env.NGINX_SERVERNAME | default "localhost" ) ) }}
{{ $v := merge $v ( dict "server_aliases" ( .Env.NGINX_SERVER_ALIASES | default "" ) ) }}
{{ $v := merge $v ( dict "server_name_in_redirect" ( .Env.NGINX_SERVERNAME_IN_REDIRECT | default "on" ) ) }}
{{ $v := merge $v ( dict "server_name_in_redirect_ssl" ( .Env.NGINX_SERVERNAME_IN_REDIRECT_SSL | default $v.server_name_in_redirect ) ) }}
{{ $v := merge $v ( dict "real_ip_from_recursive" ( .Env.NGINX_REAL_IP_FROM_RECURSIVE | default "on" ) ) }}
{{ $v := merge $v ( dict "real_ip_from" ( .Env.NGINX_REAL_IP_FROM | default "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16" )) }}
{{ $v := merge $v ( dict "ssl_ciphers" ( .Env.NGINX_SSL_CIPHERS | default $dciphers ) ) }}
{{ $v := merge $v ( dict "ssl_protocols" ( .Env.NGINX_SSL_PROTOCOLS | default "TLSv1 TLSv1.1 TLSv1.2" ) ) }}
{{ $v := merge $v ( dict "client_max_body_size" ( .Env.NGINX_CLIENT_MAX_BODY_SIZE | default "1G" ) ) }}
{{ $v := merge $v ( dict "log_level" ( .Env.NGINX_LOGLEVEL | default "crit" ) ) }}
{{ $v := merge $v ( dict "access_log" ( .Env.NGINX_ACCESSLOG | default "/logs/riot-access.log custom_combined if=$method_loggable"))}}
# optimize internal nginx buffers
types_hash_max_size 2048;
variables_hash_max_size 1024;
variables_hash_bucket_size 256;
server_names_hash_bucket_size 256;
server_names_hash_max_size 1024;
# logging setup
log_format custom_combined '"$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';
# Define type of requests going to logs (to remove OPTIONS requests for example)
map $request_method $method_loggable { OPTIONS 0;default 1;}
# activate real_ip logging
real_ip_recursive {{ $v.real_ip_from_recursive }};
{{ range $v.real_ip_from | splitList " " }}
set_real_ip_from {{ . }};
{{ end }}
# SSL offload support (use_scheme is the proxified scheme)
# if X-SSL/X-FORWADED-PROTO header is set, we are behind a ssl gateway
# so the scheme is either from the request or
# forced to ssl if we have the X-SSL header set to 1
# break loop resolution loop while map resolution
map "$http_x_ssl$http_x_forwarded_proto" $forwarded_ssl_scheme {default $scheme; "~(1|https)" https;}
# if we come directly from https on localbox without x_ssl, set it.
map $forwarded_ssl_scheme $http_x_ssl_resolved {default 0; https 1;}
# boolean value of https/http: on == https again, we default to the request value
# but also force it to true when we are forced
# to be on ssl via X-SSL/X-FORWARDED-PROTO
map $forwarded_ssl_scheme $fastcgi_ssl_toggle {default $https;https on;}
map $http_x_ssl_resolved $forwarded_remote_server_port {default $remote_port;1 443;}
map $http_x_ssl_resolved $forwarded_static_server_port {default 80;1 443;}
map $http_x_ssl_resolved $forwarded_server_port {default $server_port;1 443;}
map $http_x_ssl_resolved $forwarded_server_port {default $server_port;1 443;}
map $http_x_ssl_resolved $http_x_forwarded_protocol_resolved {default tcp;1 ssl;}
map $http_x_ssl_resolved $http_x_forwarded_ssl_resolved {default off;1 on;}
map $http_x_ssl_resolved $http_x_forwarded_proto_resolved {default http;1 https;}
# Obtain best http host
map $http_host $this_host {
default $http_host;
'' $host;
}
map $http_x_forwarded_host $best_http_host {
default $http_x_forwarded_host;
'' $this_host;
}
server {
listen {{ $v.port}} ;
server_name {{ $v.server_name }}{{if $v.server_aliases }}{{$v.server_aliases}}{{end}};
server_name_in_redirect {{ $v.server_name_in_redirect }};
error_log /logs/riot-error.log {{$v.log_level}};
access_log {{ $v.access_log }};
{{ define "vhost" }}
gzip on;
# adds a Vary: Accept-Encoding in the response, and it's a valid varying
# info as we may not gzip depending on the value of Accept-Encoding
gzip_vary on;
gzip_proxied any;
# note that text/html is always on by default
gzip_types
text/plain
text/css
text/xml
text/javascript
text/cache-manifest
application/json
application/x-javascript
application/xml
application/xml+rss
application/rss+xml
application/javascript
application/atom+xml
application/ld+json
application/manifest+json
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
image/svg+xml
application/xhtml+xml
application/vnd.mapbox-vector-tile
font/opentype;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_comp_level 4;
client_max_body_size {{ .client_max_body_size }};
# feed the map variables for ssl up
set $http_x_ssl $http_x_ssl_resolved;
set $http_x_forwarded_proto $http_x_forwarded_proto_resolved;
set $http_x_forwarded_ssl $http_x_forwarded_ssl_resolved;
set $http_x_forwarded_protocol $http_x_forwarded_protocol_resolved;
location / {
alias /riot-web/;
# static optimisations
tcp_nodelay off;
sendfile on;
# Set the OS file cache.
open_file_cache max=3000 inactive=300s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
add_header Pragma "cache";
add_header Cache-Control "public";
try_files $uri $uri/ /index.html;
}
{{ end }}
{{ template "vhost" $v }}
}
{{ if ne $v.nossl "1" }}
server {
listen {{ $v.sport }} ssl;
ssl on;
server_name_in_redirect {{ $v.server_name_in_redirect_ssl }};
server_name {{ $v.server_name }}{{if $v.server_aliases }}{{$v.server_aliases}}{{end}};
ssl_ciphers {{ $v.ssl_ciphers }};
ssl_protocols {{ $v.ssl_protocols }};
ssl_certificate {{ $v.cert }};
ssl_certificate_key {{ $v.key }};
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_dhparam {{ $v.diffie }};
error_log /logs/ssl-riot-error.log {{$v.log_level}};
access_log {{ $v.access_log }};
{{ template "vhost" $v }}
}
{{ end }}