-
Notifications
You must be signed in to change notification settings - Fork 8
/
encode-proxy-nginx.conf
233 lines (217 loc) · 9.3 KB
/
encode-proxy-nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
user www-data;
worker_processes auto;
worker_rlimit_nofile 8192;
events {
worker_connections 2048;
}
http {
# Use upstream to support keepalive
upstream test {
server v39-test.instance.encodedcc.org;
keepalive 30;
}
upstream production {
server v39hotfix1.production.encodedcc.org;
keepalive 30;
}
resolver 127.0.0.1;
resolver_timeout 5s;
include mime.types;
client_max_body_size 500m;
default_type application/octet-stream;
keepalive_timeout 65;
proxy_buffers 8 16k;
proxy_send_timeout 5m;
proxy_read_timeout 5m;
send_timeout 5m;
merge_slashes off;
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
log_format combined_stats '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_http_x_stats&request_time=$request_time" $host';
access_log /var/log/nginx/access.log combined_stats;
server {
listen 80;
access_log off;
location / {
if ($request_method !~ ^(GET)|(HEAD)$) {
return 405;
}
if ($http_authorization ~ .) {
return 403 "Forbidden. HTTPS required for authenticated access.";
}
return 301 https://$host$request_uri;
}
location = /_nginx_healthcheck {
add_header Content-Type text/plain;
return 200 'ok';
}
}
server {
listen 34.209.80.176:443 ssl spdy default_server;
server_name ~^(?<servername>[^.]+)\.t2depigenome\.org$;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
add_header Strict-Transport-Security max-age=15768000; # 6 months
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location / {
# Normalize duplicate slashes
if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
return 301 $2/$3;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://$servername.instance.t2depigenome.org;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location ~ ^/_proxy/(.*)$ {
internal;
proxy_buffering off;
proxy_pass $1$is_args$args;
}
}
server {
listen 34.209.80.176:443 ssl spdy default_server;
server_name test.t2depigenome.org;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
add_header Strict-Transport-Security max-age=15768000; # 6 months
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location / {
# Normalize duplicate slashes
if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
return 301 $2/$3;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://test;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location ~ ^/_proxy/(.*)$ {
internal;
proxy_buffering off;
proxy_pass $1$is_args$args;
}
}
server {
listen 34.209.80.176:443 ssl spdy default_server;
server_name www.t2depigenome.org;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
add_header Strict-Transport-Security max-age=15768000; # 6 months
access_log /var/log/nginx/t2depigenome.org.log combined_stats;
location / {
# Normalize duplicate slashes
if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
return 301 $2/$3;
}
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass https://production;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
location ~ ^/_proxy/(.*)$ {
internal;
proxy_buffering off;
proxy_pass $1$is_args$args;
}
}
server {
listen 34.209.80.176:443 ssl spdy;
server_name t2depigenome.org;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
add_header Strict-Transport-Security max-age=15768000; # 6 months
access_log off;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location / {
if ($request_method !~ ^(GET)|(HEAD)$) {
return 405 "Must use https://www.t2depigenome.org.";
}
return 301 https://www.t2depigenome.org$request_uri;
}
}
server {
listen 34.209.80.176:443 ssl spdy;
server_name www.t2depigenome.org t2depigenome.org;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
add_header Strict-Transport-Security max-age=15768000; # 6 months
access_log off;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location / {
if ($request_method !~ ^(GET)|(HEAD)$) {
return 405 "Must use https://www.t2depigenome.org.";
}
return 301 https://www.t2depigenome.org$request_uri;
}
}
server {
listen 34.209.80.176:443 ssl spdy;
server_name download.t2depigenome.org;
ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
access_log /var/log/nginx/download.t2depigenome.org.log combined_stats;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location ~ ^/(https?://(t2depi-files|t2depi-files-dev)\.s3\.amazonaws\.com(:80|:443)?/.*)$ {
proxy_buffering off;
proxy_pass $1$is_args$args;
}
}
server {
listen 80;
server_name ~^(.*ftp.*|t2depigenome.org)$;
#ssl_certificate /etc/nginx/ssl/t2depigenome.org/server.chained.pem;
#ssl_certificate_key /etc/nginx/ssl/t2depigenome.org/server.key;
#ssl_trusted_certificate /etc/nginx/ssl/t2depigenome.org/ca.chained.pem;
access_log /var/log/nginx/ftp.t2depigenome.org.log combined_stats;
location = /robots.txt {
add_header Content-Type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
location / {
proxy_buffering off;
proxy_pass https://t2depigenome.org-ftp.s3-website-us-west-2.amazonaws.com/;
}
location ~ ^(.*)/ftp(/.*)$ {
return 301 $1$2;
}
}
}