Last active
September 27, 2015 02:51
-
-
Save Maxim-Filimonov/a187e480e454e88a4035 to your computer and use it in GitHub Desktop.
Cloud66 nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user nginx; | |
| worker_processes {{ workers }}; | |
| error_log /var/log/nginx.log; | |
| events | |
| { | |
| worker_connections 1024; | |
| accept_mutex off; | |
| } | |
| http | |
| { | |
| gzip on; | |
| gzip_min_length 100; | |
| gzip_proxied expired no-cache no-store private auth; | |
| gzip_types text/plain application/xml text/css application/x-javascript text/javascript application/javascript; | |
| gzip_disable "MSIE [1-6]\."; | |
| server_names_hash_bucket_size 128; | |
| add_header X-Powered-By cloud66; | |
| {% if has_ha_proxy_load_balancer == true and supports_realip_module == true %} | |
| set_real_ip_from {{ load_balancer_address }}; | |
| real_ip_header X-Forwarded-For; | |
| {% endif %} | |
| tcp_nopush on; | |
| tcp_nodelay off; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 10m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| underscores_in_headers on; | |
| types_hash_max_size 2048; | |
| include mime.types; | |
| default_type application/octet-stream; | |
| client_max_body_size 50m; | |
| sendfile on; | |
| server_tokens off; | |
| keepalive_timeout 65; | |
| {% for service_container in service_containers %} | |
| {% for upstream in service_container.upstreams %} | |
| upstream {{ upstream.name }} | |
| { | |
| {% for private_ip in upstream.private_ips %} | |
| server {{private_ip}}:{{upstream.port.container}}; | |
| {% endfor # upstream.private_ips %} | |
| } | |
| {% endfor # service_container.upstreams %} | |
| {% endfor # service_containers %} | |
| {% for service_container in service_containers %} | |
| {% for upstream in service_container.upstreams %} | |
| {% if upstream.port.http != blank %} | |
| map $http_upgrade $connection_upgrade { | |
| default Upgrade; | |
| '' close; | |
| } | |
| server | |
| { | |
| listen {{ upstream.port.http }}; | |
| {% for ip in blacklist %} | |
| deny {{ ip }}; | |
| {% endfor %} | |
| {% if red_http_to_https == true %} | |
| {% if has_load_balancer %} | |
| if ($http_x_forwarded_proto = "http") { | |
| rewrite ^(.*) https://$host$1 permanent; | |
| } | |
| if ($http_x_forwarded_proto = "") { | |
| rewrite ^(.*) https://$host$1 permanent; | |
| } | |
| {% else %} | |
| rewrite ^(.*) https://$host$1 permanent; | |
| {% endif %} | |
| {% endif %} | |
| {% if red_www == 0 %} | |
| server_name {{ upstream.traffic_matches }}; | |
| {% endif %} | |
| {% if red_www == 2 %} | |
| if ($http_host ~ ^(?!www\.)(.*)) { | |
| return 301 $scheme://www.$1$request_uri; | |
| } | |
| {% endif %} | |
| {% if red_www == 1 %} | |
| if ($http_host ~ ^www\.(.*)$) { | |
| return 301 $scheme://$1$request_uri; | |
| } | |
| {% endif %} | |
| keepalive_timeout 5; | |
| client_max_body_size 50m; | |
| # redirect on errors | |
| error_page 500 502 504 /50x.html; | |
| # handle error redirect | |
| location = /50x.html | |
| { | |
| proxy_pass http://placeholders.cloud66.com/nginx/50x.html; | |
| } | |
| {% if cors_enabled == true %} | |
| # Cross domain resource | |
| add_header Access-Control-Allow-Origin "{{ cors_origin }}"; | |
| add_header Access-Control-Allow-Methods "{{ cors_methods }}"; | |
| {% endif %} | |
| {% if maintenance_mode_active and upstream.port.http == 80 %} | |
| location / | |
| { | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; # allow websockets | |
| proxy_set_header Connection $connection_upgrade; | |
| root /etc/cloud66/pages; | |
| rewrite ^(.*)$ /cloud66_maintenance.html break; | |
| } | |
| {% else %} | |
| location / | |
| { | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; # allow websockets | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_redirect off; | |
| proxy_pass http://{{ upstream.name }}; | |
| break; | |
| } | |
| {% endif %} | |
| } | |
| {% endif # if upstream.port.http != blank %} | |
| {% if allow_ssl == true %} | |
| {% if upstream.port.https != blank %} | |
| server | |
| { | |
| listen {{ upstream.port.https }}; | |
| ssl on; | |
| ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
| ssl_prefer_server_ciphers on; | |
| ssl_dhparam /etc/ssl/private/dhparams.pem; | |
| ssl_certificate_key /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key; | |
| ssl_certificate /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt; | |
| {% for ip in blacklist %} | |
| deny {{ ip }}; | |
| {% endfor %} | |
| {% if red_www == 0 %} | |
| server_name {{ upstream.traffic_matches }}; | |
| {% endif %} | |
| {% if red_www == 2 %} | |
| if ($http_host ~ ^(?!www\.)(.*)) { | |
| return 301 $scheme://www.$1$request_uri; | |
| } | |
| {% endif %} | |
| {% if red_www == 1 %} | |
| if ($http_host ~ ^www\.(.*)$) { | |
| return 301 $scheme://$1$request_uri; | |
| } | |
| {% endif %} | |
| client_max_body_size 50m; | |
| # redirect on errors | |
| error_page 500 502 504 /50x.html; | |
| # handle error redirect | |
| location = /50x.html | |
| { | |
| proxy_pass http://placeholders.cloud66.com/nginx/50x.html; | |
| } | |
| {% if cors_enabled == true %} | |
| # Cross domain resource | |
| add_header Access-Control-Allow-Origin "{{ cors_origin }}"; | |
| add_header Access-Control-Allow-Methods "{{ cors_methods }}"; | |
| {% endif %} | |
| {% if maintenance_mode_active and upstream.port.https == 443 %} | |
| location / | |
| { | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; # allow websockets | |
| proxy_set_header Connection $connection_upgrade; | |
| root /etc/cloud66/pages; | |
| rewrite ^(.*)$ /cloud66_maintenance.html break; | |
| } | |
| {% else %} | |
| location / | |
| { | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; # allow websockets | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_set_header X-Forwarded-Proto https; | |
| proxy_redirect off; | |
| proxy_pass http://{{ upstream.name }}; | |
| break; | |
| } | |
| {% endif %} | |
| } | |
| {% endif # if upstream.port.https != blank %} | |
| {% endif # if allow_ssl == true %} | |
| {% endfor # service_container.upstreams %} | |
| {% endfor # service_containers %} | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment