user www www; worker_processes 4; # one per CPU core worker_priority 15; events { worker_connections 512; accept_mutex on; } http { # timeouts client_body_timeout 3s; client_header_timeout 3s; keepalive_timeout 75s; send_timeout 9s; # general charset utf-8; client_max_body_size 512M; default_type application/octet-stream; gzip off; gzip_static on; gzip_proxied any; ignore_invalid_headers on; include mime.types; keepalive_requests 50; keepalive_disable none; max_ranges 0; msie_padding off; open_file_cache max=1000 inactive=2h; open_file_cache_errors on; open_file_cache_min_uses 1; open_file_cache_valid 1h; output_buffers 1 512; postpone_output 1460; read_ahead 512K; recursive_error_pages on; reset_timedout_connection on; sendfile on; server_tokens off; server_name_in_redirect off; source_charset utf-8; tcp_nodelay on; tcp_nopush off; # log format #log_format main # proxy settings proxy_max_temp_file_size 0; proxy_connect_timeout 900; proxy_send_timeout 900; proxy_read_timeout 900; proxy_buffer_size 4k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_temp_file_write_size 64k; proxy_intercept_errors on; # no cache configured currently... #proxy_cache_path /disk01/web_cache levels=1:2 keys_zone=webcache:10m inactive=1d max_size=2000m; #proxy_temp_path /disk01/web_cache/tmp; #proxy_cache_min_uses 5; # limit requests to 250/min. over that will get 503 limit_req_zone $binary_remote_addr zone=gulag:10m rate=250r/m; # # define internal IPs here # geo $internal_network { # default 0; # 192.168.0.0/24 1; # } # backend web servers. backup directive indicates hot failover # upstream backend_web_servers { # server 192.168.0.26 max_fails=250 fail_timeout=180s; # server 192.168.0.27 max_fails=250 fail_timeout=180s; # server 192.168.0.28 backup; # } # clients (ie. scanners) looking for servers via IP get error page server { add_header Cache-Control "public"; # add_header X-Frame-Options "DENY"; access_log /var/log/nginx/access.log; #main buffer=32k; error_log /var/log/nginx/error.log error; expires 30d; listen 80; server_name ""; error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html; location /error_page_generic.html { internal; } } # only expose Calibre as non-HTTPS server { add_header Cache-Control "public"; access_log /var/log/nginx/access.log; #main buffer=32k; error_log /var/log/nginx/error.log error; expires max; limit_req zone=gulag burst=200 nodelay; listen 8080; server_name books.secmayl.com; root /var/empty; location ~ /get/(thumb|cover) { #proxy_redirect off; proxy_set_header Host books.secmayl.com; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass "http://192.168.0.20:8080$request_uri"; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; } location / { #proxy_redirect off; proxy_set_header Host books.secmayl.com; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_pass "http://192.168.0.20:8080$request_uri"; auth_basic "Restricted Access"; auth_basic_user_file /usr/home/chucklz/certs/reporting.users; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; send_timeout 300; } } # redirect HTTP to HTTPS server { add_header Cache-Control "public"; access_log /var/log/nginx/access.log; #main buffer=32k; error_log /var/log/nginx/error.log error; expires max; limit_req zone=gulag burst=200 nodelay; listen 80; server_name *.secmayl.com *.manios.ca; root /var/empty; return 301 https://$host$request_uri; } # import client config files. the idea here is to clone configs for easy addition include conf.d/*.conf; }