Snippets
Created by
Edelberto Mania
last modified
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | ## filename: nginx.conf
## this is the current running configuration as of 20160704
## old config as of 20160714
user nginx;
worker_processes 10;
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;
events {
worker_connections 10240;
}
worker_rlimit_nofile 10000;
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
client_max_body_size 128M;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_http_version 1.1;
## updated as per JB recommendation, Ed - 20151208
#proxy_read_timeout 22200s;
#proxy_send_timeout 22200s;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
#gzip on;
index index.html index.htm;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name localhost;
root /usr/share/nginx/html;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
# redirect server error pages to the static page /40x.html
#
error_page 404 /404.html;
location = /40x.html {
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server {
listen 80;
server_name rtapi.zenoradio.com;
location / {
proxy_pass http://rtapi;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
server {
listen 443;
server_name rtapi.zenoradio.com;
ssl on;
# http://www.selfsignedcertificate.com/ is useful for development testing
#ssl_certificate /etc/nginx/ssl/zenoradio.wildcard.2.crt;
ssl_certificate /etc/nginx/ssl/bundled.star.zenoradio.com;
#ssl_certificate /etc/nginx/ssl/ssl-test-ed4.crt;
#/etc/nginx/ssl/zenoradio.wildcard.2.crtssl_certificate
#ssl_certificate /etc/nginx/ssl/AddTrustExternalCARoot.crt;
#ssl_certificate /etc/nginx/ssl/zenoradio.wildcard.crt;
#ssl_certificate_key /etc/nginx/ssl/star_zenoradio_com.key;
ssl_certificate_key /etc/nginx/ssl/zenoradio.wildcard.key;
# From https://bettercrypto.org/static/applied-crypto-hardening.pdf
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
#ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
ssl_ciphers 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW';
add_header Strict-Transport-Security max-age=15768000; # six months
# use this only if all subdomains support HTTPS!
# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"
keepalive_timeout 70;
location / {
proxy_pass http://rtapi;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
}
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 | ## filename: nginx.conf
## nginx+openresty config
## status: delpoyed as of 201607012
user openresty;
worker_processes 10;
worker_rlimit_nofile 10240;
error_log /var/log/nginx/error.log info;
pid /run/nginx.pid;
events {
## use epoll and multi_accept added by Ed
use epoll;
multi_accept on;
worker_connections 10240;
}
http {
lua_package_path "/usr/local/openresty/lualib/resty/?.lua;;";
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_requests 100000;
keepalive_timeout 70;
client_max_body_size 128M;
client_body_buffer_size 128k;
client_header_buffer_size 1k;
large_client_header_buffers 4 4k;
output_buffers 1 32k;
postpone_output 1460;
reset_timedout_connection on;
## TBD: i moved the lines to https server{} config and extended to 14days
#proxy_read_timeout 300s;
#proxy_send_timeout 300s;
## added by - Ed
client_header_timeout 6m;
client_body_timeout 6m;
send_timeout 6m;
include zenoradio/upstreams.conf;
lua_shared_dict healthcheck 2m;
lua_socket_log_errors off;
init_worker_by_lua_block {
local hc=require "resty.upstream.healthcheck"
local ok, err=hc.spawn_checker{
shm="healthcheck",
upstream="rtapi",
type="http",
http_req="GET /api/Ping/read?data=1 HTTP/1.0\r\nHost: rtapi-lb.zenoradio.com\r\n\r\n",
interval=15000, -- 15secs
timeout=1000, -- 1sec
fall=4, -- 4x fail, remove from upstream
rise=6, -- 6x successive tests, add back to upstream
valid_statuses={200,302},
concurrency=10,
}
if not ok then
ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
return
end
}
server {
location / {
proxy_pass http://rtapi;
## proxy_http_version - added by Ed
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
## TBD - added by Ed
#proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
# status page for all the peers:
# this will mask up the upstream uri also
location /_zstatus {
access_log off;
default_type text/plain;
content_by_lua_block {
local hc=require "resty.upstream.healthcheck"
ngx.say("Nginx Worker PID: ", ngx.worker.pid())
ngx.print(hc.status_page())
}
}
}
server {
listen 443;
server_name rtapi-lb.zenoradio.com;
ssl on;
ssl_certificate /usr/local/openresty/nginx/conf/zenoradio/bundled.star.zenoradio.com.crt;
ssl_certificate_key /usr/local/openresty/nginx/conf/zenoradio/zenoradio.wildcard.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW';
add_header Strict-Transport-Security max-age=15768000;
location / {
proxy_pass http://rtapi;
## proxy_http_version - added by Ed
proxy_http_version 1.1;
## from production
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
## TBD - added by Ed
#proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
location /_zstatus {
access_log off;
default_type text/plain;
content_by_lua_block {
local hc=require "resty.upstream.healthcheck"
ngx.say("Nginx Worker PID: ", ngx.worker.pid())
ngx.print(hc.status_page())
}
}
}
}
|
Comments (0)
You can clone a snippet to your computer for local editing. Learn more.