-
Notifications
You must be signed in to change notification settings - Fork 88
/
domainproxy.conf
96 lines (78 loc) · 2.95 KB
/
domainproxy.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#Copyright 2013 Yuvi Panda <yuvipanda@gmail.com>
#
#Licensed under the Apache License, Version 2.0 (the "License");
#you may not use this file except in compliance with the License.
#You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
#Unless required by applicable law or agreed to in writing, software
#distributed under the License is distributed on an "AS IS" BASIS,
#WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#See the License for the specific language governing permissions and
#limitations under the License.
lua_package_path "/etc/nginx/lua/?.lua";
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
<%- if !@notfound_servers.empty? -%>
upstream notfound {
<%- @notfound_servers.each do |server| -%>
server <%= server %>;
<%- end -%>
}
<%- end -%>
server {
resolver <%= resolver %>;
listen 80;
<%- if @ssl_certificate_name != false -%>
# Serve both HTTP and HTTPS
listen 443 default_server ssl spdy;
ssl_certificate /etc/ssl/certs/<%= @ssl_certificate_name %>.chained.pem;
ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
# Copied from templates/nginx/nginx.conf.erb. Eugh
# Enable a shared cache, since it is defined at this level
# it will be used for all virtual hosts. 1m = 4000 active sessions,
# so we are allowing 200,000 active sessions.
ssl_session_cache shared:SSL:50m;
# SSLv2 is insecure, only allow SSLv3 and TLSv1
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
# Limit ciphers allowed
ssl_ciphers AES128-GCM-SHA256:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA;
# Prefer server ciphers (Prefer RC4 first to combat BEAST)
ssl_prefer_server_ciphers on;
<%- end -%>
# Some projects have tools that take data in and process them
# for a long time. While ideally they should be made async, this
# is an interim solution that works for now.
proxy_read_timeout 600s;
# People upload large files, and that is okay.
# We can make this larger if need be.
client_max_body_size 128m;
<%- if !@notfound_servers.empty? -%>
location @notfound {
proxy_pass http://notfound;
}
error_page 404 = @notfound;
<%- end -%>
location / {
set $backend '';
set $vhost '';
access_by_lua_file /etc/nginx/lua/domainproxy.lua;
proxy_pass $backend;
proxy_set_header Host $vhost;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
<%- if @set_xff -%>
# Passes client's IP to the backend
proxy_set_header X-Forwarded-For $remote_addr;
<%- end -%>
}
# GZIP (ALMOST) ALL THE THINGS!
gzip on;
gzip_proxied any;
gzip_types text/plain text/css text/xml application/json application/javascript application/x-javascript;
}