From 7e620033b444e0fe84fafd17be9804ca12bbecbd Mon Sep 17 00:00:00 2001
From: nicholasmanios <nicholas@manios.ca>
Date: Wed, 18 Mar 2020 19:12:22 -0400
Subject: [PATCH] Added nginx.conf

---
 aries/anginx/nginx.conf | 155 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 155 insertions(+)
 create mode 100644 aries/anginx/nginx.conf

diff --git a/aries/anginx/nginx.conf b/aries/anginx/nginx.conf
new file mode 100644
index 0000000..6d2544c
--- /dev/null
+++ b/aries/anginx/nginx.conf
@@ -0,0 +1,155 @@
+user www www;
+
+worker_processes 4; # one per CPU core
+worker_priority 15;
+
+events {
+        worker_connections 512;
+        accept_mutex on;
+}
+
+
+http {
+        # timeouts
+        client_body_timeout 3s;
+        client_header_timeout 3s;
+        keepalive_timeout 75s;
+        send_timeout 9s;
+
+        # general
+        charset utf-8;
+        client_max_body_size 512M;
+        default_type application/octet-stream;
+        gzip off;
+        gzip_static on;
+        gzip_proxied any;
+        ignore_invalid_headers on;
+        include mime.types;
+        keepalive_requests 50;
+        keepalive_disable none;
+        max_ranges 0;
+        msie_padding off;
+        open_file_cache max=1000 inactive=2h;
+        open_file_cache_errors on;
+        open_file_cache_min_uses 1;
+        open_file_cache_valid 1h;
+        output_buffers 1 512;
+        postpone_output 1460;
+        read_ahead 512K;
+        recursive_error_pages on;
+        reset_timedout_connection on;
+        sendfile on;
+        server_tokens off;
+        server_name_in_redirect off;
+        source_charset utf-8;
+        tcp_nodelay on;
+        tcp_nopush off;
+
+        # log format
+        #log_format main <INCOMPLETE>
+
+        # proxy settings
+        proxy_max_temp_file_size 0;
+        proxy_connect_timeout 900;
+        proxy_send_timeout 900;
+        proxy_read_timeout 900;
+        proxy_buffer_size 4k;
+        proxy_buffers 4 32k;
+        proxy_busy_buffers_size 64k;
+        proxy_temp_file_write_size 64k;
+        proxy_intercept_errors on;
+
+        # no cache configured currently...
+        #proxy_cache_path /disk01/web_cache levels=1:2 keys_zone=webcache:10m inactive=1d max_size=2000m;
+        #proxy_temp_path /disk01/web_cache/tmp;
+        #proxy_cache_min_uses 5;
+
+        # limit requests to 250/min. over that will get 503
+        limit_req_zone $binary_remote_addr zone=gulag:10m rate=250r/m;
+
+#       # define internal IPs here
+#       geo $internal_network {
+#               default 0;
+#               192.168.0.0/24 1;
+#       }
+
+        # backend web servers. backup directive indicates hot failover
+#       upstream backend_web_servers {
+#               server 192.168.0.26 max_fails=250 fail_timeout=180s;
+#               server 192.168.0.27 max_fails=250 fail_timeout=180s;
+#               server 192.168.0.28 backup;
+#       }
+
+        # clients (ie. scanners) looking for servers via IP get error page
+        server {
+                add_header Cache-Control "public";
+#               add_header X-Frame-Options "DENY";
+                access_log /var/log/nginx/access.log; #main buffer=32k;
+                error_log /var/log/nginx/error.log error;
+                expires 30d;
+                listen 80;
+                server_name "";
+
+                error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
+                location /error_page_generic.html {
+                        internal;
+                }
+        }
+
+        # only expose Calibre as non-HTTPS
+        server {
+                add_header Cache-Control "public";
+                access_log /var/log/nginx/access.log; #main buffer=32k;
+                error_log /var/log/nginx/error.log error;
+                expires max;
+                limit_req zone=gulag burst=200 nodelay;
+                listen 8080;
+                server_name books.secmayl.com;
+                root /var/empty;
+
+                location ~ /get/(thumb|cover) {
+                        #proxy_redirect off;
+                        proxy_set_header Host books.secmayl.com;
+                        proxy_set_header X-Forwarded-Host $http_host;
+                        proxy_set_header X-Real-IP $remote_addr;
+                        proxy_pass "http://192.168.0.20:8080$request_uri";
+
+                        proxy_connect_timeout 300;
+                        proxy_send_timeout 300;
+                        proxy_read_timeout 300;
+                        send_timeout 300;
+                }
+
+                location / {
+                        #proxy_redirect off;
+                        proxy_set_header Host books.secmayl.com;
+                        proxy_set_header X-Forwarded-Host $http_host;
+                        proxy_set_header X-Real-IP $remote_addr;
+                        proxy_pass "http://192.168.0.20:8080$request_uri";
+
+                        auth_basic "Restricted Access";
+                        auth_basic_user_file /usr/home/chucklz/certs/reporting.users;
+
+                        proxy_connect_timeout 300;
+                        proxy_send_timeout 300;
+                        proxy_read_timeout 300;
+                        send_timeout 300;
+                }
+        }
+
+        # redirect HTTP to HTTPS
+        server {
+                add_header Cache-Control "public";
+                access_log /var/log/nginx/access.log; #main buffer=32k;
+                error_log /var/log/nginx/error.log error;
+                expires max;
+                limit_req zone=gulag burst=200 nodelay;
+                listen 80;
+                server_name *.secmayl.com *.manios.ca;
+                root /var/empty;
+                return 301 https://$host$request_uri;
+        }
+
+        # import client config files. the idea here is to clone configs for easy addition
+        include conf.d/*.conf;
+}
\ No newline at end of file