-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
157 lines (133 loc) · 5.25 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
master_process on;
worker_processes 4;
error_log /dev/stderr error;
user protonet;
events {
worker_connections 1024;
}
http {
# Do not leak the nginx server version
# see http://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
include mime.types;
sendfile on;
# Custom HTTP access log format
log_format protonet '$status $request_time $host "$request" $request_length $bytes_sent';
access_log /dev/stdout protonet;
# So I assume we have a thing that sends javascript error messages this way and then you can read them in the log :)
log_format jserror '$args';
# Configure our temporary directories
proxy_temp_path /tmp/;
client_body_temp_path /tmp/;
# The maximum size of the client request body
client_max_body_size 50000M;
# The maximum size of temporary upload buffer files. G instead of M won't work here :(
proxy_max_temp_file_size 50000M;
server {
listen 0.0.0.0:80;
# See https://stackoverflow.com/questions/35471967/nginx-doesnt-get-host-from-embedded-dns-in-docker-1-10-1
# RADAR ipv6=off can be removed on docker 1.11+
resolver 127.0.0.11 valid=5s ipv6=off;
gzip on;
gzip_types application/json;
gzip_min_length 1400;
# This is the directory that static assets are placed in. We first try to
# serve any static files before hitting the real backend.
root /home/protonet/dashboard/shared/public;
location ~ ^/system/users/ {
expires 1w;
try_files $uri @soul-web;
}
location ~ ^/emojies/ {
expires 1y;
try_files $uri @soul-web;
}
location ~ ^/system/background_images/ {
expires 1w;
try_files $uri @soul-web;
}
location ~ ^/assets/ {
expires 1y;
add_header Cache-Control public;
add_header ETag "";
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
gzip_comp_level 6;
gzip_types application/javascript text/css text/html image/svg+xml;
try_files $uri @soul-web;
}
location /jserror {
access_log /dev/stderr jserror;
return 201;
}
location /socket.io {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# See http://tenzer.dk/nginx-with-dynamic-upstreams/ on why we do it like this and are not using the upstream directive
set $soul_socketio soul-socketio;
proxy_pass http://$soul_socketio:8000;
}
location /dav {
# See http://tenzer.dk/nginx-with-dynamic-upstreams/ on why we do it like this and are not using the upstream directive
set $soul_webdav soul-webdav;
proxy_pass http://$soul_webdav:8224;
}
location /system {
root /home/protonet/dashboard/shared/uploads;
try_files $uri @soul-web;
}
# Used for resolving mod_zip bulk downloads
location /files {
root /home/protonet/dashboard/shared/files;
internal;
}
# =====================================================================
# Send downloads through nginx using X-SendFile in the backend
# See http://www.rubydoc.info/gems/rack/Rack/Sendfile
# =====================================================================
location /protected_owner_fs/ {
internal;
expires 1h;
add_header Cache-Control public;
add_header ETag "";
add_header X-Accel-Nginx on;
add_header Content-Security-Policy "script-src 'none'";
alias /home/protonet/dashboard/shared/files/files/;
}
location ~ ^/(public_links|owner_files|meep_files|api/v1/meep_files)/ {
client_max_body_size 100g;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
# See http://tenzer.dk/nginx-with-dynamic-upstreams/ on why we do it like this and are not using the upstream directive
set $soul_web soul-web;
proxy_pass http://$soul_web:5000;
# path: shared/files/users/1/Projects/test2/Main/73.come.at.me.bro.gif
# nginx-internal path: /protected_owner_fs/1/Projects/test2/Main/73.come.at.me.bro.gif
proxy_set_header X-Accel-Mapping .*shared/files/files/=/protected_owner_fs/;
}
location / {
#root /home/protonet/dashboard/shared/public;
try_files $uri @soul-web;
}
location @soul-web {
# Configure HSTS - ensures that browsers always immediately hit HTTPS on subsequent
# visits, even if the user enters plain HTTP into the address bar. Helps against MITM attacks
# on that first request.
# See https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
add_header Strict-Transport-Security "max-age=31536000";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
# Hide mod_zip instructions from user-facing download
proxy_hide_header X-Archive-Files;
# See http://tenzer.dk/nginx-with-dynamic-upstreams/ on why we do it like this and are not using the upstream directive
set $soul_web soul-web;
proxy_pass http://$soul_web:5000;
}
}
}