jyotishp/cdn.iiit.ac.in.conf

## cdn.iiit.ac.in.conf
server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    location / {
        set $iiit_host "";
        set $iiit_path $request_uri;
        if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) {
            set $iiit_host $1;
            set $iiit_path $2;
            rewrite ^/cdn/([^/]+)(/.*)$ $2 break;
        }
        proxy_set_header Host $iiit_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://proxypass.iiit.ac.in;
    }
}

# Simialrly for SSL connections. You can club both of these
# configurations if you don't have any special purpose of having
# two separate server blocks for SSL and non SSL connections.
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl http2 default_server;
    server_name  _;
    root         /usr/share/nginx/html;

    ssl_certificate "/etc/pki/tls/certs/iiit.ac.in.crt";
    ssl_certificate_key "/etc/pki/tls/private/iiit.ac.in.key";
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    location / {
        set $iiit_host "";
        set $iiit_path $request_uri;
        if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) {
          set $iiit_host $1;
          set $iiit_path $2;
          rewrite ^/cdn/([^/]+)(/.*)$ $2 break;
        }
        proxy_set_header Host $iiit_host;
        proxy_redirect off;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass https://proxypass.iiit.ac.in;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

## dummy.conf
server {
    listen 80;
    listen [::]:80;

    # Logging requests to file
    access_log  /var/log/nginx/dummy.iiit.ac.in.log  main;

    server_name dummy.iiit.ac.in;

    # These headers are required for redirection and
    # reverse proxy to work to function properly
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header Host $http_host;

    # Redirect to cdn.iiit.ac.in if source is not from intranet
    # Else, serve as a reverse proxy for requests from intranet IPs
    location ~* \.(zip|gz|tar|bz|rar|7z|xz|pdf|mp4|avi|mov|webm|wmv)$ {
        if ($external_ip) {
            return 302 http://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri;
        }
        proxy_pass http://dummy.iiit.ac.in;
    }

    location / {
        proxy_pass http://dummy.iiit.ac.in;
    }
}

# Simialrly for SSL connections. You can club both of these
# configurations if you don't have any special purpose of having
# two separate server blocks for SSL and non SSL connections.
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # Setting SSL certificate and other options
    ssl_certificate /etc/pki/tls/private/iiit.ac.in.pem;
    ssl_certificate_key /etc/pki/tls/private/iiit.ac.in.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    access_log  /var/log/nginx/dummy.iiit.ac.in_ssl.log  main;

    server_name dummy.iiit.ac.in;

    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header Host $http_host;

    location ~* \.(zip|gz|tar|bz|rar|7z|xz|pdf|mp4|avi|mov|webm|wmv)$ {
        if ($external_ip) {
            return 302 https://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri;
        }
        proxy_pass https://dummy.iiit.ac.in;
    }

    location / {
        proxy_pass https://dummy.iiit.ac.in;
    }
}

## install.sh
rm -f /etc/nginx/nginx.conf
ln -s ./nginx.conf /etc/nginx/nginx.conf
ln -s ./dummy /etc/nginx/conf.d/dummy
echo "MAILTO="srisai.poonganam@research.iiit.ac.in" >| /var/spool/cron/root
echo "*/30 * * * *    /root/proxypass_config/proxypass_config.sh" >> /var/spool/cron/root

## proxypass_config.sh
#!/bin/bash

touch /var/log/proxypass_config.log
mkdir -p /var/lib/proxypass_config
touch /var/lib/proxypass_config/checksum
data_dir="/etc/nginx/conf.d"
to="srisai.poonganam@research.iiit.ac.in"

# Check if dig is available
if yum list installed "bind-utils" >/dev/null 2>&1; then
  :
else
  error="`date` bind-utils package is not found. We need dig!"
  echo $error  >> /var/log/proxypass_config.log
  echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Package not found" $to
  exit
fi

# Fetch AXFR record
axfr_record=`dig @ns.iiit.ac.in axfr iiit.ac.in +noall +answer | awk '{if(($5 == "196.12.53.52" || $5 == "196.12.53.50") && $4 == "A") print $1}' | sed 's/.$//'`

# Check fetched AXFR record
if [[ ${#axfr_record[@]} -lt 1 ]]; then
  error="`date` No records obtained from ns.iiit.ac.in!"
  echo $error  >> /var/log/proxypass_config.log
  echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed obtaining records" $to
  exit
fi

# Generate Nginx config
rm -f $data_dir/*.iiit.ac.in.conf
for domain in $axfr_record
do
  cp $data_dir/dummy $data_dir/$domain.conf
  sed -i -- "s/dummy.iiit.ac.in/$domain/g" $data_dir/$domain.conf
done

# Fetch CNAME records and Generate config
cname_records=`dig +noall +answer @ns.iiit.ac.in axfr iiit.ac.in | awk '{if($4 == "CNAME") print $1}' | sed 's/.$//'`
for cname in $cname_records
do
  record_name=`dig +noall +answer $cname @ns.iiit.ac.in | tr '\n' ' ' | awk '{if ($10 == "196.12.53.52" || $10 == "196.12.53.50") print $1}' | sed 's/.$//'`
  if [[ "$cname" == "$record_name" ]];
  then
    cp $data_dir/dummy $data_dir/$cname.conf
    sed -i -- "s/dummy.iiit.ac.in/$cname/g" $data_dir/$cname.conf
  fi
done

log="`date` Config generated successfully"
echo $log  >> /var/log/proxypass_config.log

# Generate required md5 checksum of directory
old_checksum=`cat /var/lib/proxypass_config/checksum`
new_checksum=`find $data_dir -type f -exec md5sum {} \; | sort -k 2 | md5sum | awk '{print $1}'`

# Restart Nginx if changes are found
if [ "$old_checksum" != "$new_checksum" ]; then
  # Check Nginx config for errors
  if /usr/sbin/nginx -t >/dev/null 2>&1; then
    :
  else
    error=$(/usr/sbin/nginx -t 2>&1)
    echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Nginx config test failed" $to
    exit
  fi

  # Restart Nginx to reflect changes
  if systemctl restart nginx >/dev/null 2>&1; then
    echo $new_checksum >| /var/lib/proxypass_config/checksum
  else
    error=$(systemctl status nginx 2>&1)
    echo "`date` Failed to reload Nginx!"  >> /var/log/proxypass_config.log
    echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed to start Nginx" $to
    exit
  fi
else
  log="`date` No changes detected"
  echo $log  >> /var/log/proxypass_config.log
fi
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	root /usr/share/nginx/html;

	location / {
	set $iiit_host "";
	set $iiit_path $request_uri;
	if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) {
	set $iiit_host $1;
	set $iiit_path $2;
	rewrite ^/cdn/([^/]+)(/.*)$ $2 break;
	}
	proxy_set_header Host $iiit_host;
	proxy_redirect off;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://proxypass.iiit.ac.in;
	}
	}

	# Simialrly for SSL connections. You can club both of these
	# configurations if you don't have any special purpose of having
	# two separate server blocks for SSL and non SSL connections.
	server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name _;
	root /usr/share/nginx/html;

	ssl_certificate "/etc/pki/tls/certs/iiit.ac.in.crt";
	ssl_certificate_key "/etc/pki/tls/private/iiit.ac.in.key";
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 10m;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	location / {
	set $iiit_host "";
	set $iiit_path $request_uri;
	if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) {
	set $iiit_host $1;
	set $iiit_path $2;
	rewrite ^/cdn/([^/]+)(/.*)$ $2 break;
	}
	proxy_set_header Host $iiit_host;
	proxy_redirect off;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass https://proxypass.iiit.ac.in;
	}

	error_page 404 /404.html;
	location = /40x.html {
	}

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	}
	}
	server {
	listen 80;
	listen [::]:80;

	# Logging requests to file
	access_log /var/log/nginx/dummy.iiit.ac.in.log main;

	server_name dummy.iiit.ac.in;

	# These headers are required for redirection and
	# reverse proxy to work to function properly
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header Host $http_host;

	# Redirect to cdn.iiit.ac.in if source is not from intranet
	# Else, serve as a reverse proxy for requests from intranet IPs
	location ~* \.(zip\|gz\|tar\|bz\|rar\|7z\|xz\|pdf\|mp4\|avi\|mov\|webm\|wmv)$ {
	if ($external_ip) {
	return 302 http://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri;
	}
	proxy_pass http://dummy.iiit.ac.in;
	}

	location / {
	proxy_pass http://dummy.iiit.ac.in;
	}
	}

	# Simialrly for SSL connections. You can club both of these
	# configurations if you don't have any special purpose of having
	# two separate server blocks for SSL and non SSL connections.
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	# Setting SSL certificate and other options
	ssl_certificate /etc/pki/tls/private/iiit.ac.in.pem;
	ssl_certificate_key /etc/pki/tls/private/iiit.ac.in.pem;
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 10m;
	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;

	access_log /var/log/nginx/dummy.iiit.ac.in_ssl.log main;

	server_name dummy.iiit.ac.in;

	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header Host $http_host;

	location ~* \.(zip\|gz\|tar\|bz\|rar\|7z\|xz\|pdf\|mp4\|avi\|mov\|webm\|wmv)$ {
	if ($external_ip) {
	return 302 https://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri;
	}
	proxy_pass https://dummy.iiit.ac.in;
	}

	location / {
	proxy_pass https://dummy.iiit.ac.in;
	}
	}
	rm -f /etc/nginx/nginx.conf
	ln -s ./nginx.conf /etc/nginx/nginx.conf
	ln -s ./dummy /etc/nginx/conf.d/dummy
	echo "MAILTO="srisai.poonganam@research.iiit.ac.in" >\| /var/spool/cron/root
	echo "/30 * * * /root/proxypass_config/proxypass_config.sh" >> /var/spool/cron/root
	#!/bin/bash

	touch /var/log/proxypass_config.log
	mkdir -p /var/lib/proxypass_config
	touch /var/lib/proxypass_config/checksum
	data_dir="/etc/nginx/conf.d"
	to="srisai.poonganam@research.iiit.ac.in"

	# Check if dig is available
	if yum list installed "bind-utils" >/dev/null 2>&1; then
	:
	else
	error="`date` bind-utils package is not found. We need dig!"
	echo $error >> /var/log/proxypass_config.log
	echo $error \| mailx -r "proxypass@iiit.ac.in" -s "[Error] Package not found" $to
	exit
	fi

	# Fetch AXFR record
	axfr_record=`dig @ns.iiit.ac.in axfr iiit.ac.in +noall +answer \| awk '{if(($5 == "196.12.53.52" \|\| $5 == "196.12.53.50") && $4 == "A") print $1}' \| sed 's/.$//'`

	# Check fetched AXFR record
	if [[ ${#axfr_record[@]} -lt 1 ]]; then
	error="`date` No records obtained from ns.iiit.ac.in!"
	echo $error >> /var/log/proxypass_config.log
	echo $error \| mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed obtaining records" $to
	exit
	fi

	# Generate Nginx config
	rm -f $data_dir/*.iiit.ac.in.conf
	for domain in $axfr_record
	do
	cp $data_dir/dummy $data_dir/$domain.conf
	sed -i -- "s/dummy.iiit.ac.in/$domain/g" $data_dir/$domain.conf
	done

	# Fetch CNAME records and Generate config
	cname_records=`dig +noall +answer @ns.iiit.ac.in axfr iiit.ac.in \| awk '{if($4 == "CNAME") print $1}' \| sed 's/.$//'`
	for cname in $cname_records
	do
	record_name=`dig +noall +answer $cname @ns.iiit.ac.in \| tr '\n' ' ' \| awk '{if ($10 == "196.12.53.52" \|\| $10 == "196.12.53.50") print $1}' \| sed 's/.$//'`
	if [[ "$cname" == "$record_name" ]];
	then
	cp $data_dir/dummy $data_dir/$cname.conf
	sed -i -- "s/dummy.iiit.ac.in/$cname/g" $data_dir/$cname.conf
	fi
	done

	log="`date` Config generated successfully"
	echo $log >> /var/log/proxypass_config.log

	# Generate required md5 checksum of directory
	old_checksum=`cat /var/lib/proxypass_config/checksum`
	new_checksum=`find $data_dir -type f -exec md5sum {} \; \| sort -k 2 \| md5sum \| awk '{print $1}'`

	# Restart Nginx if changes are found
	if [ "$old_checksum" != "$new_checksum" ]; then
	# Check Nginx config for errors
	if /usr/sbin/nginx -t >/dev/null 2>&1; then
	:
	else
	error=$(/usr/sbin/nginx -t 2>&1)
	echo $error \| mailx -r "proxypass@iiit.ac.in" -s "[Error] Nginx config test failed" $to
	exit
	fi

	# Restart Nginx to reflect changes
	if systemctl restart nginx >/dev/null 2>&1; then
	echo $new_checksum >\| /var/lib/proxypass_config/checksum
	else
	error=$(systemctl status nginx 2>&1)
	echo "`date` Failed to reload Nginx!" >> /var/log/proxypass_config.log
	echo $error \| mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed to start Nginx" $to
	exit
	fi
	else
	log="`date` No changes detected"
	echo $log >> /var/log/proxypass_config.log
	fi