/
nginx.conf.erb
111 lines (89 loc) · 3.85 KB
/
nginx.conf.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# Run nginx worker as the current user instead of 'nobody'
user <%= ENV['USER'] %> staff;
http {
default_type application/octet-stream;
include mime.types;
sendfile on;
keepalive_timeout 65;
# Provide the Pow host root dir as an Nginx variable so per-app nginx
# configs can dynamically set server root directories relative to it.
# We could process per-app config as ERB templates instead, but that'd
# require reloading Powprox whenever they change.
#
# (Hax to set a variable in HTTP context since 'set' may only be used in
# server blocks. The source variable is ignored entirely; we just set
# $pow_host_root to the default value every time.)
map $http_host $pow_host_root { default "<%= pow_host_root %>"; }
# SSL setup
ssl_certificate <%= ssl_certificate %>;
ssl_certificate_key <%= ssl_certificate_key %>;
ssl_session_cache shared:SSL:32k; # 1MB = ~4000 sessions, so 32kB = ~100 sessions
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
# Compress HTML, JSON, CSS, JavaScript, fonts, SVG
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/font-woff image/svg+xml;
# Cache public responses
proxy_cache_path "<%= powprox_dir %>/nginx/proxy_cache" levels=1:2 keys_zone=powprox_cache:1m inactive=60m max_size=100m use_temp_path=off;
proxy_cache powprox_cache;
# Perform backend cache updates one at a time, not in parallel
proxy_cache_lock on;
proxy_cache_use_stale updating;
# Indicate whether the response was pulled from the cache:
# X-Cache-Status: HIT/MISS
add_header X-Cache-Status $upstream_cache_status;
# Pow @ localhost
upstream pow {
server 127.0.0.1:<%= pow_http_port %>;
}
# Include optional per-site server config
include "<%= powprox_dir %>/nginx/sites/*";
# Default server proxies all domains to Pow
server {
listen 80 default_server;
listen 443 ssl spdy default_server;
server_name <%= pow_domains.map { |domain| "~^(?<pow_host>.+)\.#{domain}$" } * ' ' %> ~^(?<pow_host>.+)(\.\d+)\{4\}\.xip\.io$;
root "$pow_host_root/$pow_host/public";
location / {
try_files $uri $uri.html @powprox;
}
location @powprox {
internal;
proxy_pass http://pow;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# App can reproxy responses from any URL by pointing X-Accel-Redirect here
# and setting X-Reproxy-Url. Apps use this to serve files from internal
# servers, to serve pages via private internals caches, etc.
#
# https://github.com/jeremy/rack-reproxy#nginx
location /reproxy {
internal;
# Resolve reproxied hosts against Pow
resolver 127.0.0.1:<%= pow_dns_port %>;
# Capture the app's X-Reproxy-Url and proxy to it
set $reproxy_url $upstream_http_x_reproxy_url;
proxy_pass $reproxy_url;
# Don't overflow buffers into tempfiles at all. Defaults to 1GB which
# leads to lost connections and corrupt downloads.
proxy_max_temp_file_size 0;
# Send the browser's original request headers along to the backend.
proxy_pass_request_headers on;
# GET requests only! Turn off request bodies.
proxy_method GET;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
# Support reproxied authentication using the app's X-Reproxy-Authorization
set $reproxy_authorization $upstream_http_x_reproxy_authorization;
proxy_set_header Authorization $reproxy_authorization;
# Use the Content-Type the app provides, not the backend.
proxy_hide_header Content-Type;
}
}
}