nginx configuration

nginx init srcript

#!/bin/bash
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig:   - 85 15
# description:  NGINX is an HTTP(S) server, HTTP(S) reverse \
#               proxy and IMAP/POP3 proxy server
# processname: nginx
# config:      /etc/nginx/nginx.conf
# config:      /etc/sysconfig/nginx
# pidfile:     /var/run/nginx.pid

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ "$NETWORKING" = "no" ] && exit 0

nginx="/usr/sbin/nginx"
prog=$(basename $nginx)

NGINX_CONF_FILE="/etc/nginx/nginx.conf"

[ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx

lockfile=/var/lock/subsys/nginx

make_dirs() {
   # make required directories
   user=`$nginx -V 2>&1 | grep "configure arguments:.*--user=" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
   if [ -n "$user" ]; then
      if [ -z "`grep $user /etc/passwd`" ]; then
         useradd -M -s /bin/nologin $user
      fi
      options=`$nginx -V 2>&1 | grep 'configure arguments:'`
      for opt in $options; do
          if [ `echo $opt | grep '.*-temp-path'` ]; then
              value=`echo $opt | cut -d "=" -f 2`
              if [ ! -d "$value" ]; then
                  # echo "creating" $value
                  mkdir -p $value && chown -R $user $value
              fi
          fi
       done
    fi
}

start() {
    [ -x $nginx ] || exit 5
    [ -f $NGINX_CONF_FILE ] || exit 6
    make_dirs
    echo -n $"Starting $prog: "
    daemon $nginx -c $NGINX_CONF_FILE
    retval=$?
    echo
    [ $retval -eq 0 ] && touch $lockfile
    return $retval
}

stop() {
    echo -n $"Stopping $prog: "
    killproc $prog -QUIT
    retval=$?
    echo
    [ $retval -eq 0 ] && rm -f $lockfile
    return $retval
}

restart() {
    configtest || return $?
    stop
    sleep 1
    start
}

reload() {
    configtest || return $?
    echo -n $"Reloading $prog: "
    killproc $nginx -HUP
    RETVAL=$?
    echo
}

force_reload() {
    restart
}

configtest() {
  $nginx -t -c $NGINX_CONF_FILE
}

rh_status() {
    status $prog
}

rh_status_q() {
    rh_status >/dev/null 2>&1
}

case "$1" in
    start)
        rh_status_q && exit 0
        $1
        ;;
    stop)
        rh_status_q || exit 0
        $1
        ;;
    restart|configtest)
        $1
        ;;
    reload)
        rh_status_q || exit 7
        $1
        ;;
    force-reload)
        force_reload
        ;;
    status)
        rh_status
        ;;
    condrestart|try-restart)
        rh_status_q || exit 0
            ;;
    *)
        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
        exit 2
esac

nginx.conf

user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;


	upstream cluster {

		# simple round-robin
		ip_hash;
		server ip1:443;
		server ip2:443;
		

		#check interval=5000 rise=1 fall=3 timeout=4000;

		check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello port=443;

		#check interval=3000 rise=2 fall=5 timeout=1000 type=http;
		#check_http_send "HEAD / HTTP/1.0\r\n\r\n";
		#check_http_expect_alive http_2xx http_3xx;
	}


    server {
        listen 80;
        listen  443 ssl;
        server_name yourdomain.cn;

        ssl_protocols  TLSv1.2 TLSv1.1 TLSv1;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
        keepalive_timeout    70;
        ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
        ssl_certificate  /etc/nginx/ssl/your.crt;
        ssl_certificate_key /etc/nginx/ssl/your.key;

        if ($http_user_agent ~ YisouSpider) {
                return 403;
        }
		
		
        if ($scheme = 'http') {
                rewrite ^ https://$http_host$request_uri? permanent;
        }

         location  / {
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

			add_header Cache-Control "no-cache, no-store";
			add_header Powered-By-CacheServer "MISS from xxx-1-3h3.6";
			add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

			proxy_pass https://cluster;
        }
		
        location /xxx/ {
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

			add_header Cache-Control "no-cache, no-store";
			add_header Powered-By-CacheServer "MISS from NJCIT-1-3h3.6";
			add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

			proxy_pass https://cluster;
			allow ip1;
			deny all;
		}

		location  ~* \.(png|jpg|jpeg|gif|ico|js|css|swf)$ {
			root /opt/ids;
		}
		
		location /status {
			check_status;
			access_log   off;
			allow ip;
			deny all;
        }

        error_page   404 403 500 502 503 504   /404.html;
        location = /404.html {
            root   html;
        }

    }


}