Skip to content

Instantly share code, notes, and snippets.

@jamesez
Created May 24, 2016 21:39
Show Gist options
  • Save jamesez/d61ebdde1c3a1b4e102943c21bf26acf to your computer and use it in GitHub Desktop.
Save jamesez/d61ebdde1c3a1b4e102943c21bf26acf to your computer and use it in GitHub Desktop.
munki caching server config
daemon off; # docker requirement
worker_processes 6;
pid /tmp/nginx.pid;
user nginx;
events {
worker_connections 768;
}
http {
# optimize for large files
sendfile off;
directio 512;
aio on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 180;
# open file caching
open_file_cache max=2000 inactive=5m;
open_file_cache_valid 5m;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# MIME type handling
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
types {
application/x-plist plist;
}
# Logging Settings
access_log /logs/access.log;
error_log /logs/error.log;
# Don't include the nginx version number, etc
server_tokens off;
# Gzip Settings
gzip on;
gzip_disable "msie6";
# caching
proxy_cache_path /cache levels=2:2 max_size=400g keys_zone=munkicache:15m inactive=30d;
proxy_temp_path /proxy_tmp;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_cache_valid 200 302 404 2h;
proxy_cache_revalidate on;
proxy_cache_lock on;
# proxy_cache_lock_age 1m; # our nginx is 1.4, this needs 1.7.8
server {
listen 8080;
server_name [not provided];
proxy_cache munkicache;
# Handle asu traffic on non-https
# Software Update gets totally bonkers if it sees https origination in the munki local catalog - can't verify the cert, so it bails badly
location /asu/ {
try_files @upstream @upstream;
}
# Turns out, primitive EFI firmware can't handle ssl either
location /nbi/ {
try_files @upstream @upstream;
}
# nagios, etc
location = / {
return 204;
}
location / {
# 10.7.x - Lion
if ( $http_user_agent ~ "Darwin/11" ){
rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-lion-snowleopard-leopard.merged-1$1.sucatalog last;
}
# 10.8.x - Mountain Lion
if ( $http_user_agent ~ "Darwin/12" ){
rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
}
# 10.9.x - Mavericks
if ( $http_user_agent ~ "Darwin/13" ){
rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
}
# 10.10 - Yosemite
if ( $http_user_agent ~ "Darwin/14" ){
rewrite ^/seed(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.10seed-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
}
# 10.11 -
if ( $http_user_agent ~ "Darwin/15" ){
rewrite ^/seed(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.11seed-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last;
}
# Redirect over to https
rewrite ^ https://servername$request_uri? permanent;
}
location @upstream {
proxy_pass http://master-server;
}
}
# https server
server {
listen 8443;
server_name [not provided];
proxy_cache munkicache;
ssl on;
ssl_certificate /ssl/server.crt;
ssl_certificate_key /ssl/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /packages/client_resources/ {
proxy_cache_valid 404 15d;
try_files @upstream @upstream;
}
location /packages/icons/ {
proxy_cache_valid 404 12h;
try_files @upstream @upstream;
}
location /clients/ {
proxy_cache_valid 200 302 404 30m;
try_files @upstream @upstream;
}
# nagios, etc
location = / {
return 204;
}
location / {
# sucatalog: get out of here
rewrite ^/(.*)\.sucatalog$ http://server$request_uri permanent;
try_files @upstream @upstream;
}
location @upstream {
proxy_pass http://master-server;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment