showcase/aries/nginx/nginx.conf

user www www;

worker_processes 4; # one per CPU core
worker_priority 15;

events {
        worker_connections 512;
        accept_mutex on;
}


http {
        # timeouts
        client_body_timeout 3s;
        client_header_timeout 3s;
        keepalive_timeout 75s;
        send_timeout 9s;

        # general
        charset utf-8;
        client_max_body_size 512M;
        default_type application/octet-stream;
        gzip off;
        gzip_static on;
        gzip_proxied any;
        ignore_invalid_headers on;
        include mime.types;
        keepalive_requests 50;
        keepalive_disable none;
        max_ranges 0;
        msie_padding off;
        open_file_cache max=1000 inactive=2h;
        open_file_cache_errors on;
        open_file_cache_min_uses 1;
        open_file_cache_valid 1h;
        output_buffers 1 512;
        postpone_output 1460;
        read_ahead 512K;
        recursive_error_pages on;
        reset_timedout_connection on;
        sendfile on;
        server_tokens off;
        server_name_in_redirect off;
        source_charset utf-8;
        tcp_nodelay on;
        tcp_nopush off;

        # log format
        #log_format main <INCOMPLETE>

        # proxy settings
        proxy_max_temp_file_size 0;
        proxy_connect_timeout 900;
        proxy_send_timeout 900;
        proxy_read_timeout 900;
        proxy_buffer_size 4k;
        proxy_buffers 4 32k;
        proxy_busy_buffers_size 64k;
        proxy_temp_file_write_size 64k;
        proxy_intercept_errors on;

        # no cache configured currently...
        #proxy_cache_path /disk01/web_cache levels=1:2 keys_zone=webcache:10m inactive=1d max_size=2000m;
        #proxy_temp_path /disk01/web_cache/tmp;
        #proxy_cache_min_uses 5;

        # limit requests to 250/min. over that will get 503
        limit_req_zone $binary_remote_addr zone=gulag:10m rate=250r/m;

#       # define internal IPs here
#       geo $internal_network {
#               default 0;
#               192.168.0.0/24 1;
#       }

        # backend web servers. backup directive indicates hot failover
#       upstream backend_web_servers {
#               server 192.168.0.26 max_fails=250 fail_timeout=180s;
#               server 192.168.0.27 max_fails=250 fail_timeout=180s;
#               server 192.168.0.28 backup;
#       }

        # clients (ie. scanners) looking for servers via IP get error page
        server {
                add_header Cache-Control "public";
#               add_header X-Frame-Options "DENY";
                access_log /var/log/nginx/access.log; #main buffer=32k;
                error_log /var/log/nginx/error.log error;
                expires 30d;
                listen 80;
                server_name "";

                error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
                location /error_page_generic.html {
                        internal;
                }
        }

        # only expose Calibre as non-HTTPS
        server {
                add_header Cache-Control "public";
                access_log /var/log/nginx/access.log; #main buffer=32k;
                error_log /var/log/nginx/error.log error;
                expires max;
                limit_req zone=gulag burst=200 nodelay;
                listen 8080;
                server_name books.secmayl.com;
                root /var/empty;

                location ~ /get/(thumb|cover) {
                        #proxy_redirect off;
                        proxy_set_header Host books.secmayl.com;
                        proxy_set_header X-Forwarded-Host $http_host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_pass "http://192.168.0.20:8080$request_uri";

                        proxy_connect_timeout 300;
                        proxy_send_timeout 300;
                        proxy_read_timeout 300;
                        send_timeout 300;
                }

                location / {
                        #proxy_redirect off;
                        proxy_set_header Host books.secmayl.com;
                        proxy_set_header X-Forwarded-Host $http_host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_pass "http://192.168.0.20:8080$request_uri";

                        auth_basic "Restricted Access";
                        auth_basic_user_file /usr/home/chucklz/certs/reporting.users;

                        proxy_connect_timeout 300;
                        proxy_send_timeout 300;
                        proxy_read_timeout 300;
                        send_timeout 300;
                }
        }

        # redirect HTTP to HTTPS
        server {
                add_header Cache-Control "public";
                access_log /var/log/nginx/access.log; #main buffer=32k;
                error_log /var/log/nginx/error.log error;
                expires max;
                limit_req zone=gulag burst=200 nodelay;
                listen 80;
                server_name *.secmayl.com *.manios.ca;
                root /var/empty;
                return 301 https://$host$request_uri;
        }

        # import client config files. the idea here is to clone configs for easy addition
        include conf.d/*.conf;
}