-
Notifications
You must be signed in to change notification settings - Fork 296
/
000-nginx-global.conf
86 lines (67 loc) · 2.5 KB
/
000-nginx-global.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Primary Domains
include "/run/ic-node/etc/nginx/conf.d/set_primary_application_domain.conf";
include "/run/ic-node/etc/nginx/conf.d/set_primary_api_domain.conf";
geo $rosetta {
default 0; # all other traffic maps to zone 0
10.0.0.0/8 1; # local and rosetta traffic map to zone 1
# Add rosetta node addresses here and map to zone 1
2a00:fb01:400::/56 1;
2607:fb58:9005::/48 1;
2602:fb2b:100::/48 1;
}
upstream icx_proxy {
server unix:/run/ic-node/icx-proxy.socket;
keepalive 32;
keepalive_requests 500;
keepalive_time 10m;
}
upstream ic_boundary {
server unix:/run/ic-node/ic-boundary.socket;
keepalive 32;
keepalive_requests 500;
keepalive_time 10m;
}
upstream cert_issuer {
server 127.0.0.1:3000;
keepalive 4;
keepalive_time 10m;
}
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# Convert nginx's 16-byte/32-char hex formatted request_id into a proper UUID
# This allows for efficient storage in Clickhouse using a native UUID type instead of a string (16 vs 36 bytes)
# E.g. 444535f9378a3dfa1b8604bc9e05a303 -> 444535f9-378a-3dfa-1b86-04bc9e05a303
map $request_id $request_uuid {
"~^(\w{8})(\w{4})(\w{4})(\w{4})(.*)$" "$1-$2-$3-$4-$5";
}
# Observability
include "includes/request_id.conf";
### Caching
# Cache for static responses (e.g `/`)
proxy_ignore_headers X-Accel-Expires Expires Cache-Control Vary Set-Cookie;
proxy_cache_path /var/cache/nginx/static levels=1:2 keys_zone=cache_static:100m max_size=4000m use_temp_path=off;
proxy_cache_lock on;
proxy_cache_key $scheme$host$request_uri;
proxy_cache_valid 200 301 302 10s;
proxy_cache_valid 404 5s;
### Rate Limiting
limit_req_status 429;
# for custom-domain registrations
limit_req_zone global zone=rgs_global:32k rate=10r/s;
limit_req_zone $binary_remote_addr zone=rgs_per_ip:1m rate=1r/s;
root /var/www/html;
# Any direct HTTPS access without correct domain name will default to returning a 404.
server {
listen 443 ssl reuseport;
listen [::]:443 ssl ipv6only=on reuseport; # setting ipv6only=on once turns it on for all instances on that port
server_name _;
return 404;
}
# Any direct HTTP traffic will be redirected to HTTPS via 301.
server {
listen 80 reuseport;
listen [::]:80 ipv6only=on reuseport; # setting ipv6only=on once turns it on for all instances on that port
server_name _;
return 301 https://$host$request_uri;
}