Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
120 lines (89 sloc) 3.29 KB
user nginx;
worker_processes {{ if env "SSL" }}auto{{ else }}1{{ end }};
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=synchro_cache:10m inactive=60m use_temp_path=off;
sendfile on;
keepalive_timeout 65;
{{ if service "synchro" }}
upstream synchro {
# write the address:port pairs for each healthy Synchro node
{{range service "synchro"}}
server {{.Address}}:{{.Port}};
{{end}}
ip_hash; # Poor man's session affinity (for Synchro async ops)
# least_conn;
}{{ end }}
server {
{{ if env "SSL" }}
listen 443 ssl;
# Validate with https://www.ssllabs.com/ssltest/index.html
ssl_certificate {{ or (env "SSL_CERTS_PATH") "/etc/ssl/certs/ssl.crt" }};
ssl_certificate_key {{ or (env "SSL_KEY_PATH") "/etc/ssl/private/ssl.key" }};
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
{{ if env "SSL_DH_PARAM_PATH" }}ssl_dhparam {{env "SSL_DH_PARAM_PATH"}};{{ end }}
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
{{ else }}
listen 80;
{{ end }}
server_name _;
root /usr/share/nginx/html;
location /health {
# requires http_stub_status_module
stub_status;
allow 127.0.0.1;
deny all;
}
{{ if service "synchro" }}
location ^~ / {
proxy_cache synchro_cache;
proxy_cache_bypass $http_cache_control;
add_header X-Proxy-Cache $upstream_cache_status;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_pass http://synchro;
proxy_set_header Host $http_host; # Pass the http Host header as received (instead of rewriting to upstream host)
{{ if env "SSL" }}
proxy_set_header x-arr-ssl "yes"; # Add SSL indicator for upstream
{{ else }}
proxy_set_header x-arr-ssl ""; # Turn off any downstream SSL indicator
{{ end }}
# add_header X-Upstream $upstream_addr; # For test - to verify upstream from client testing (turn off ip_hash)
proxy_redirect off;
}{{end}}
}
{{ if env "SSL" }}
server {
listen 80;
server_name _;
location /health {
# requires http_stub_status_module
stub_status;
allow 127.0.0.1;
deny all;
}
location ^~ / {
return 301 https://$host$request_uri;
}
}
{{ end }}
}