benanhalt/web-asset-server.conf

## web-asset-server.conf
# Nginx configuration for supplying an HTTPS end point for the web
# asset server. The asset server is running on the same system
# (demo-assets.specifycloud.org) on port 8080 meaning it can run
# without root privileges and without using authbind. Nginx proxies
# HTTP requests on port 80 and HTTPS requests on port 443 to the
# underlying asset server. It also rewrites the web_asset_store.xml
# response to cause subsequent request to go through the proxy.

server {
       # HTTP access is needed for Specify 6. It will not work with HTTPS.
       listen 80 default_server;
       server_name demo-assets.specifycloud.org;

       # The default nginx max request size is pretty small and will
       # prevent uploading large attachments.
       client_max_body_size 20m;


       # The LetsEncrypt certificate mechanism places a nonce
       # challenge at this location to prove we have control of the
       # domain. Mapping it to a location in the filesystem allows us
       # to easily use their auto renew system.
       location /.well-known/ {
                root /var/www/;
       }

       # The web_asset_store.xml resource must be proxied to the
       # actual server so that it gets the correct timestamp headers.
       # We do a string substitution on the response to make the links
       # it defines point to this proxy.
       location = /web_asset_store.xml {
                proxy_pass http://localhost:8080/web_asset_store.xml;
                sub_filter 'http://demo-assets.specifycloud.org:8080' 'http://demo-assets.specifycloud.org';
                sub_filter_once off;
                sub_filter_types text/xml;
       }

       # All other requests are passed to the actual asset server
       # unchanged.
       location / {
                proxy_pass http://localhost:8080/;
       }
}

server {
       # This stanza defines the HTTPS end point.
       listen 443 ssl default_server;
       server_name demo-assets.specifycloud.org;

       # The default nginx max request size is pretty small and will
       # prevent uploading large attachments.
       client_max_body_size 20m;

       ssl_certificate /etc/letsencrypt/live/demo-assets.specifycloud.org/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/demo-assets.specifycloud.org/privkey.pem;

       # These SSL settings are recommended according to
       # https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04.
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_dhparam /etc/ssl/certs/dhparam.pem;
       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
       ssl_session_timeout 1d;
       ssl_session_cache shared:SSL:50m;
       ssl_stapling on;
       ssl_stapling_verify on;
       add_header Strict-Transport-Security max-age=15768000;

       # The LetsEncrypt pass-though. I'm not sure if this is needed
       # on HTTPS side, but I'm including it just in case.
       location /.well-known/ {
                root /var/www/;
       }

       # This is the same as the above, except the links get rewritten
       # to use HTTPS in addition to changing the port.
       location = /web_asset_store.xml {
                proxy_pass http://localhost:8080/web_asset_store.xml;
                sub_filter 'http://demo-assets.specifycloud.org:8080' 'https://demo-assets.specifycloud.org';
                sub_filter_once off;
                sub_filter_types text/xml;
       }

       # Everything else is just passed through.
       location / {
                proxy_pass http://localhost:8080/;
       }
}
	# Nginx configuration for supplying an HTTPS end point for the web
	# asset server. The asset server is running on the same system
	# (demo-assets.specifycloud.org) on port 8080 meaning it can run
	# without root privileges and without using authbind. Nginx proxies
	# HTTP requests on port 80 and HTTPS requests on port 443 to the
	# underlying asset server. It also rewrites the web_asset_store.xml
	# response to cause subsequent request to go through the proxy.

	server {
	# HTTP access is needed for Specify 6. It will not work with HTTPS.
	listen 80 default_server;
	server_name demo-assets.specifycloud.org;

	# The default nginx max request size is pretty small and will
	# prevent uploading large attachments.
	client_max_body_size 20m;


	# The LetsEncrypt certificate mechanism places a nonce
	# challenge at this location to prove we have control of the
	# domain. Mapping it to a location in the filesystem allows us
	# to easily use their auto renew system.
	location /.well-known/ {
	root /var/www/;
	}

	# The web_asset_store.xml resource must be proxied to the
	# actual server so that it gets the correct timestamp headers.
	# We do a string substitution on the response to make the links
	# it defines point to this proxy.
	location = /web_asset_store.xml {
	proxy_pass http://localhost:8080/web_asset_store.xml;
	sub_filter 'http://demo-assets.specifycloud.org:8080' 'http://demo-assets.specifycloud.org';
	sub_filter_once off;
	sub_filter_types text/xml;
	}

	# All other requests are passed to the actual asset server
	# unchanged.
	location / {
	proxy_pass http://localhost:8080/;
	}
	}

	server {
	# This stanza defines the HTTPS end point.
	listen 443 ssl default_server;
	server_name demo-assets.specifycloud.org;

	# The default nginx max request size is pretty small and will
	# prevent uploading large attachments.
	client_max_body_size 20m;

	ssl_certificate /etc/letsencrypt/live/demo-assets.specifycloud.org/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/demo-assets.specifycloud.org/privkey.pem;

	# These SSL settings are recommended according to
	# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_stapling on;
	ssl_stapling_verify on;
	add_header Strict-Transport-Security max-age=15768000;

	# The LetsEncrypt pass-though. I'm not sure if this is needed
	# on HTTPS side, but I'm including it just in case.
	location /.well-known/ {
	root /var/www/;
	}

	# This is the same as the above, except the links get rewritten
	# to use HTTPS in addition to changing the port.
	location = /web_asset_store.xml {
	proxy_pass http://localhost:8080/web_asset_store.xml;
	sub_filter 'http://demo-assets.specifycloud.org:8080' 'https://demo-assets.specifycloud.org';
	sub_filter_once off;
	sub_filter_types text/xml;
	}

	# Everything else is just passed through.
	location / {
	proxy_pass http://localhost:8080/;
	}
	}