-
Notifications
You must be signed in to change notification settings - Fork 81
/
production.nginx.conf
122 lines (103 loc) · 3.43 KB
/
production.nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# Everything at the top level here is happening at the scope of http in nginx.conf.
log_format matomo '{"ip": "$remote_addr",'
'"host": "$host",'
'"path": "$request_uri",'
'"status": "$status",'
'"referrer": "$http_referer",'
'"user_agent": "$http_user_agent",'
'"length": $bytes_sent,'
'"generation_time_milli": $request_time,'
'"args": {"cvar": {"1": ["Has-Session", $has_session]}},'
'"date": "$time_iso8601"}';
map $http_x_forwarded_proto $web_proxy_scheme {
default $scheme;
https https;
}
map $http_user_agent $limit_bots {
default "";
~*(GoogleBot|bingbot|YandexBot|mj12bot|Apache-HttpClient) $binary_remote_addr;
}
## Testing the request method. Only GET and HEAD are caching safe.
map $request_method $no_cache {
default 0;
POST 1; # POST requests aren't cached usually
}
## Testing for the session cookie being present.
map $http_cookie $has_session {
default 0;
~sessionid 1; # Django session cookie
}
## If there is, then no caching is to be done.
map $has_session $no_cache {
default 0;
1 1;
}
## proxy caching settings.
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=cache:8m max_size=10g inactive=10m;
proxy_cache_key "$scheme$proxy_host$uri$is_args$args$http_accept_language";
proxy_cache_lock on;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
# remote address is a joke here since we don't have x-forwarded-for
limit_req_zone $limit_bots zone=bots:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=one:10m rate=500r/s;
upstream twlight {
server twlight:80;
}
server {
# if no Host match, close the connection to prevent host spoofing
listen 80 default_server;
return 444;
}
server {
listen 80 deferred;
client_max_body_size 4G;
server_name wikipedialibrary.wmflabs.org;
keepalive_timeout 5;
# Send matomo logs to syslog
access_log syslog:server=syslog,severity=info matomo;
# Send default logs to stdout
access_log /dev/stdout;
root /app;
proxy_cache_valid 200 301 302 401 403 404 5m;
proxy_cache_bypass $no_cache $http_cache_control;
proxy_cache_revalidate on;
proxy_cache cache;
add_header X-Cache-Status $upstream_cache_status;
location / {
# Redirects any http requests to https.
if ($web_proxy_scheme = 'http') {
return 301 https://$host$request_uri;
}
# checks for static file, if not found proxy to app
try_files $uri @twlight;
}
location @twlight {
limit_req zone=bots burst=2 nodelay;
limit_req zone=one burst=1000 nodelay;
limit_req_status 429;
proxy_set_header X-Forwarded-Proto $web_proxy_scheme;
proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
proxy_pass http://twlight;
}
proxy_intercept_errors on;
error_page 500 502 503 504 /500.html;
location /500-dog.jpeg {
root /app/500/;
}
location /500-Wikipedia_Library_owl.svg {
root /app/500/;
}
location ~ .+/((500-Wikipedia_Library_owl\.svg)|(500-dog\.jpeg))$ {
try_files $uri /$1;
}
location /500.html {
internal;
root /app/500/;
}
location /admin/login {
return 403;
}
}