Snippets

Edel SM nginx configurations

Created by Edelberto Mania last modified
nginx-1.conf
Raw 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
## filename: nginx.conf
## this is the current running configuration as of 20160704
## old config as of 20160714

user  nginx;
worker_processes  10;

error_log  /var/log/nginx/error.log;
#error_log  /var/log/nginx/error.log  notice;
#error_log  /var/log/nginx/error.log  info;

pid        /run/nginx.pid;


events {
    worker_connections  10240;
}

worker_rlimit_nofile 10000;

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    client_max_body_size 128M; 
    proxy_buffering    off;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Scheme $scheme;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   Host $http_host;
    proxy_http_version 1.1;

    ## updated as per JB recommendation, Ed - 20151208
    #proxy_read_timeout 22200s;
    #proxy_send_timeout 22200s;

    proxy_read_timeout 300s;
    proxy_send_timeout 300s;
    
    #gzip  on;

    index   index.html index.htm;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        server_name  localhost;
        root         /usr/share/nginx/html;

        #charset koi8-r;

        #access_log  /var/log/nginx/host.access.log  main;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        # redirect server error pages to the static page /40x.html
        #
        error_page  404              /404.html;
        location = /40x.html {
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
        }
    }

    server {
        listen       80;
        server_name rtapi.zenoradio.com;
        location / {
            proxy_pass http://rtapi;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
    	    proxy_set_header   X-Real-IP $remote_addr;
    	    proxy_set_header   X-Scheme $scheme;
    	    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    	    proxy_set_header   Host $http_host;
        }
    }

  server {
    listen               443;
    server_name rtapi.zenoradio.com;
    ssl                  on;
  
    # http://www.selfsignedcertificate.com/ is useful for development testing
    #ssl_certificate      /etc/nginx/ssl/zenoradio.wildcard.2.crt;
    ssl_certificate      /etc/nginx/ssl/bundled.star.zenoradio.com;
    #ssl_certificate      /etc/nginx/ssl/ssl-test-ed4.crt;
    #/etc/nginx/ssl/zenoradio.wildcard.2.crtssl_certificate      
    #ssl_certificate      /etc/nginx/ssl/AddTrustExternalCARoot.crt;
    #ssl_certificate      /etc/nginx/ssl/zenoradio.wildcard.crt;
    #ssl_certificate_key  /etc/nginx/ssl/star_zenoradio_com.key;
    ssl_certificate_key  /etc/nginx/ssl/zenoradio.wildcard.key;
 
 
    # From https://bettercrypto.org/static/applied-crypto-hardening.pdf
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
    #ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
    ssl_ciphers 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW';
    add_header Strict-Transport-Security max-age=15768000; # six months
    # use this only if all subdomains support HTTPS!
    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"
  
    keepalive_timeout    70;
    location / {
      proxy_pass  http://rtapi;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header   X-Real-IP $remote_addr;
      proxy_set_header   X-Scheme $scheme;
      proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header   Host $http_host;
    }
  }


}
nginx-2.conf
Raw 
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
## filename: nginx.conf
## nginx+openresty config
## status: delpoyed as of 201607012

user openresty;
worker_processes 10;
worker_rlimit_nofile 10240;
error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;

events {
    ## use epoll and multi_accept added by Ed
    use epoll;
    multi_accept on;

    worker_connections 10240;
}

http {
    lua_package_path "/usr/local/openresty/lualib/resty/?.lua;;";

    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_requests 100000;
    keepalive_timeout    70;
    
    client_max_body_size 128M;
    client_body_buffer_size 128k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 4k;
    output_buffers 1 32k;
    postpone_output 1460;

    reset_timedout_connection on;

    ## TBD: i moved the lines to https server{} config and extended to 14days
    #proxy_read_timeout 300s;
    #proxy_send_timeout 300s;

    ## added by - Ed
    client_header_timeout  6m;
    client_body_timeout    6m;
    send_timeout           6m;

    include zenoradio/upstreams.conf;

    lua_shared_dict healthcheck 2m;
    lua_socket_log_errors off;

    init_worker_by_lua_block {
        local hc=require "resty.upstream.healthcheck"
        local ok, err=hc.spawn_checker{
            shm="healthcheck",
            upstream="rtapi",
            type="http",
            http_req="GET /api/Ping/read?data=1 HTTP/1.0\r\nHost: rtapi-lb.zenoradio.com\r\n\r\n",
            interval=15000,    -- 15secs
            timeout=1000,      -- 1sec 
            fall=4,            -- 4x fail, remove from upstream
            rise=6,            -- 6x successive tests, add back to upstream
            valid_statuses={200,302},
            concurrency=10,
        }

        if not ok then
            ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
            return
        end
    }

    server {
        location / {
            proxy_pass http://rtapi;
            ## proxy_http_version - added by Ed
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            ## TBD - added by Ed
            #proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
        }

        # status page for all the peers:
        # this will mask up the upstream uri also
        location /_zstatus {
            access_log off;
            default_type text/plain;
            content_by_lua_block {
                local hc=require "resty.upstream.healthcheck"
                ngx.say("Nginx Worker PID: ", ngx.worker.pid())
                ngx.print(hc.status_page())
            }
        }
    }

    server {
        listen 443;
        server_name rtapi-lb.zenoradio.com;

        ssl on;
        ssl_certificate /usr/local/openresty/nginx/conf/zenoradio/bundled.star.zenoradio.com.crt;
        ssl_certificate_key /usr/local/openresty/nginx/conf/zenoradio/zenoradio.wildcard.key;

        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW';
        add_header Strict-Transport-Security max-age=15768000;

        location / {
            proxy_pass  http://rtapi;
            ## proxy_http_version - added by Ed
            proxy_http_version 1.1;
            ## from production
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Scheme $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            ## TBD - added by Ed
            #proxy_connect_timeout 300s;
            proxy_send_timeout 300s;
            proxy_read_timeout 300s;
        }

        location /_zstatus {
            access_log off;
            default_type text/plain;
            content_by_lua_block {
                local hc=require "resty.upstream.healthcheck"
                ngx.say("Nginx Worker PID: ", ngx.worker.pid())
                ngx.print(hc.status_page())
            }
        }
    }
}
upstream-1.conf
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
## filename: upstream.conf
## this is the current running configuration as of 20160704

upstream rtapi {
	server 172.27.8.169:9000;
	server 172.27.8.168:9000;
	server 172.27.8.167:9000;
	server 172.27.11.166:9000;
	server 172.27.11.120:9000;
	server 172.27.11.28:9000;
	server 172.27.11.27:9000;
	server 172.27.11.26:9000;
	server 172.27.11.25:9000;
}
upstream-2.conf
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
## path/filename: zenoradio/upstreams.conf

upstream rtapi {
    keepalive 60;
    server 172.27.11.25:9000;
    server 172.27.11.26:9000;
    server 172.27.11.27:9000;
    server 172.27.11.28:9000;
    server 172.27.11.120:9000;
    server 172.27.11.166:9000;
    server 172.27.8.167:9000;
    server 172.27.8.168:9000 backup;
    server 172.27.8.169:9000 backup;
}
zenoradio-radiojar-fluoz-nginx-loadbalancer.conf
Raw 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
## settings by Radiojar people
## Nginx loadbalancer for FluoZ

user www-data;
worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;
}

# Load balance TCP-based HTTP & UDP-based SIP traffic across three servers
stream {
    upstream http_upstreams {
        server fluoz-01.zenoradio.com:80;
        server fluoz-02.zenoradio.com:80;
        server fluoz-03.zenoradio.com:80;
        server fluoz-04.zenoradio.com:80;
    }

    upstream sip_upstreams {
        hash $remote_addr;
        server fluoz-01.zenoradio.com:5060;
        server fluoz-02.zenoradio.com:5060;
        server fluoz-03.zenoradio.com:5060;
        server fluoz-04.zenoradio.com:5060;
    }

    server {
        listen 80;
        proxy_pass http_upstreams;
        proxy_timeout 5s;
        error_log logs/http.log;
    }

    server {
        listen 5060 udp;
        proxy_pass sip_upstreams;
        proxy_timeout 10s;
        error_log logs/sip.log;
    }

}

Comments (0)

HTTPS SSH

You can clone a snippet to your computer for local editing. Learn more.