Skip to content

Instantly share code, notes, and snippets.

@hfase01
Created September 13, 2012 07:10
Show Gist options
  • Save hfase01/3712515 to your computer and use it in GitHub Desktop.
Save hfase01/3712515 to your computer and use it in GitHub Desktop.
my nginx vodo
worker_processes 8;
pid /var/run/nginx.pid;
events {
worker_connections 4096;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server_tokens off;
gzip on;
gzip_comp_level 6;
gzip_vary on;
gzip_proxied any;
gzip_buffers 32 8k;
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
#### Upstream
###
##
#
upstream diaspora {
server unix:/home/diaspora/diaspora-hfase/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
server unix:/home/hans/workspace/diaspora/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
}
##
#
upstream gitlab {
server unix:/home/gitlab/gitlab/tmp/sockets/gitlab.socket;
}
##
#
upstream w44 {
server unix:/home/hans/workspace/travis-ci/tmp/sockets/travis.socket max_fails=3 fail_timeout=30s;
server unix:/home/w44/diaspora-w44/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
server 0.0.0.0:3000 max_fails=3 fail_timeout=30s; ## script-server fail-back
}
##
#
upstream php {
server unix:/tmp/php.sock;
}
#### Diaspora
###
##
#
server {
listen 80;
server_name www.hfase.com hfase.com;
rewrite ^(.*) https://hfase.com$1 permanent;
}
server {
listen 443;
server_name www.hfase.com hfase.com;
root /home/diaspora/diaspora-hfase/public;
ssl on;
ssl_certificate /home/hans/ssl-certs+keys/hfase-ssl.crt; ## You will need to supply these files!!!
ssl_certificate_key /home/hans/ssl-certs+keys/hfase-ssl.key; ## You will need to supply these files!!!
# enable better ssl security if you like to mitigate BEAST and other exploits
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1;
#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
#ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=500;
#ssl_ecdh_curve secp521r1;
if ($host = 'www.hfase.com' ) {
rewrite ^/(.*)$ https://hfase.com/$1 permanent;
}
location /uploads {
rewrite ^/(.*)$ https://hfase.s3.amazonaws.com/$1 permanent;
}
location /assets {
rewrite ^/(.*)$ https://hfase-assets.s3.amazonaws.com/$1 permanent;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
client_max_body_size 4M;
client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://diaspora;
break;
}
}
error_page 500 503 504 /500.html;
location = /500.html {
root /home/diaspora/diaspora-hfase/public;
}
error_page 404 /404.html;
location = /404.html {
root /home/diaspora/diaspora-hfase/public;
}
error_page 502 /down.html;
location = /down.html {
root /home/diaspora/diaspora-hfase/public;
}
}
#### Webmin
###
##
#
server {
listen 80;
server_name admin.hfase.com;
rewrite ^(.*) https://admin.hfase.com$1 permanent;
}
server {
listen 443;
server_name admin.hfase.com;
ssl on;
ssl_certificate /home/hans/ssl-certs+keys/admin.hfase-ssl.crt;
ssl_certificate_key /home/hans/ssl-certs+keys/admin.hfase-ssl.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1;
#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
#ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=500;
location / {
proxy_pass https://127.0.0.1:10000/;
# allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;
}
}
#### Wordpress
###
##
#
server {
listen 80;
server_name blog.hfase.com;
root /var/www/WP;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# Pass the php scripts to fastcgi server specified in upstream declaration.
location ~ \.php$ {
fastcgi_pass php;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
# Deny access to version control system directories.
location ~ /\.svn|/\.git {
deny all;
internal;
}
}
#### Forum
###
##
#
server {
listen 80;
server_name forum.hfase.com;
root /var/www/icy_phoenix;
location / {
# phpbb uses index.htm
index index.php index.html index.htm;
}
# Deny access to internal phpbb files.
location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
deny all;
# deny was ignored before 0.8.40 for connections over IPv6.
# Use internal directive to prohibit access on older versions.
internal;
}
# Pass the php scripts to fastcgi server specified in upstream declaration.
location ~ \.php$ {
fastcgi_pass php;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
# Deny access to version control system directories.
location ~ /\.svn|/\.git {
deny all;
internal;
}
}
#### Piwik
###
##
#
server {
listen 80;
server_name piwik.hfase.com;
rewrite ^(.*) https://piwik.hfase.com$1 permanent;
}
server {
listen 443;
server_name piwik.hfase.com;
root /var/www/piwik;
ssl on;
ssl_certificate /home/hans/ssl-certs+keys/piwik-ssl.crt; ## You will need to supply these files!!!
ssl_certificate_key /home/hans/ssl-certs+keys/piwik-ssl.key; ## You will need to supply these files!!!
# enable better ssl security if you like to mitigate BEAST and other exploits
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1;
#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
#ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=500;
#ssl_ecdh_curve secp521r1;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
# Deny access to internal phpbb files.
location ~ /(config.ini\.php|global.ini\.php|includes|cache|files|store|images/avatars/upload) {
deny all;
# deny was ignored before 0.8.40 for connections over IPv6.
# Use internal directive to prohibit access on older versions.
internal;
}
# Pass the php scripts to fastcgi server specified in upstream declaration.
location ~ \.php$ {
fastcgi_pass php;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
# Deny access to version control system directories.
location ~ /\.svn|/\.git {
deny all;
internal;
}
}
#### w44
###
##
#
server {
listen 80;
server_name w44.co;
rewrite ^(.*) https://w44.co$1 permanent;
}
server {
listen 443;
server_name w44.co;
root /home/w44/diaspora-w44/public;
ssl on;
ssl_certificate /home/hans/ssl-certs+keys/w44.crt; ## You will need to supply these files!!!
ssl_certificate_key /home/hans/ssl-certs+keys/w44.key; ## You will need to supply these files!!!
# enable better ssl security if you like to mitigate BEAST and other exploits
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1;
#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
#ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=500;
#ssl_ecdh_curve secp521r1;
if ($host = 'www.w44.co' ) {
rewrite ^/(.*)$ https://w44.co/$1 permanent;
}
location /uploads {
rewrite ^/(.*)$ https://w44.s3.amazonaws.com/$1 permanent;
}
location /assets {
rewrite ^/(.*)$ https://w44-assets.s3.amazonaws.com/$1 permanent;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
client_max_body_size 4M;
client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://w44;
break;
}
}
error_page 500 503 504 /500.html;
location = /500.html {
root /home/w44/diaspora-w44/public;
}
error_page 404 /404.html;
location = /404.html {
root /home/w44/diaspora-w44/public;
}
error_page 502 /down.html;
location = /down.html {
root /home/w44/diaspora-w44/public;
}
}
#### Gitlab
###
##
#
server {
listen 80;
server_name git.hfase.com;
rewrite ^(.*) https://git.hfase.com$1 permanent;
}
server {
listen 443;
server_name git.hfase.com;
root /home/gitlab/gitlab/public;
ssl on;
ssl_certificate /home/hans/ssl-certs+keys/git.hfase-ssl.crt;
ssl_certificate_key /home/hans/ssl-certs+keys/git.hfase-ssl.key;
# enable better ssl security if you like to mitigate BEAST and other exploits
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
#ssl_protocols TLSv1;
#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
#ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=500;
#ssl_ecdh_curve secp521r1;
location /uploads/images {
expires 1d;
add_header Cache-Control public;
}
location /assets {
expires 1d;
add_header Cache-Control public;
}
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
client_max_body_size 4M;
client_body_buffer_size 128K;
if (-f $request_filename/index.html) {
rewrite (.*) $1/index.html break;
}
if (-f $request_filename.html) {
rewrite (.*) $1.html break;
}
if (!-f $request_filename) {
proxy_pass http://gitlab;
break;
}
}
error_page 500 503 504 /500.html;
location = /500.html {
root /home/gitlab/gitlab/public;
}
error_page 404 /404.html;
location = /404.html {
root /home/gitlab/gitlab/public;
}
error_page 502 /down.html;
location = /down.html {
root /home/gitlab/gitlab/public;
}
}
#### Phpmyadmin
###
##
#
server {
listen 80;
server_name sql.hfase.com;
root /usr/share/phpmyadmin;
location / {
index index.php index.html index.htm;
try_files $uri $uri/ /index.php?q=$uri&$args;
# allow anyone in 192.168.1.0/24
# allow 192.168.1.0/24;
# drop rest of the world
# deny all;
}
# Deny access to internal phpbb files.
location ~ /(wp-config\.php|wp-common\.php|includes|cache|files|store|images/avatars/upload) {
deny all;
# deny was ignored before 0.8.40 for connections over IPv6.
# Use internal directive to prohibit access on older versions.
internal;
}
# Pass the php scripts to fastcgi server specified in upstream declaration.
location ~ \.php$ {
fastcgi_pass php;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
# Deny access to version control system directories.
location ~ /\.svn|/\.git {
deny all;
internal;
}
}
#### Mirror
###
##
#
server {
listen 80;
server_name mirror.hfase.com;
root /var/www/mirror;
location / {
index index.html
index.php
/_h5ai/php/h5ai-index.php;
autoindex on;
}
location ~ \.php$ {
fastcgi_pass php;
# Necessary for php.
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
# Unmodified fastcgi_params from nginx distribution.
include fastcgi_params;
}
}
#### END
###
##
#
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment