Last active
January 5, 2019 19:38
-
-
Save jyotishp/4e1c9fae146e04a1361ab22e72e9572d to your computer and use it in GitHub Desktop.
Configuration files for proxypass.iiit.ac.in and cdn.iiit.ac.in. Add the contents of cdn.iiit.ac.in.conf inside the http block of nginx.conf on cdn.iiit.ac.in
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
server_name _; | |
root /usr/share/nginx/html; | |
location / { | |
set $iiit_host ""; | |
set $iiit_path $request_uri; | |
if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) { | |
set $iiit_host $1; | |
set $iiit_path $2; | |
rewrite ^/cdn/([^/]+)(/.*)$ $2 break; | |
} | |
proxy_set_header Host $iiit_host; | |
proxy_redirect off; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass http://proxypass.iiit.ac.in; | |
} | |
} | |
# Simialrly for SSL connections. You can club both of these | |
# configurations if you don't have any special purpose of having | |
# two separate server blocks for SSL and non SSL connections. | |
server { | |
listen 443 ssl http2 default_server; | |
listen [::]:443 ssl http2 default_server; | |
server_name _; | |
root /usr/share/nginx/html; | |
ssl_certificate "/etc/pki/tls/certs/iiit.ac.in.crt"; | |
ssl_certificate_key "/etc/pki/tls/private/iiit.ac.in.key"; | |
ssl_session_cache shared:SSL:1m; | |
ssl_session_timeout 10m; | |
ssl_ciphers HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
location / { | |
set $iiit_host ""; | |
set $iiit_path $request_uri; | |
if ($request_uri ~ ^/cdn/([^/]+)(/.*)$ ) { | |
set $iiit_host $1; | |
set $iiit_path $2; | |
rewrite ^/cdn/([^/]+)(/.*)$ $2 break; | |
} | |
proxy_set_header Host $iiit_host; | |
proxy_redirect off; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass https://proxypass.iiit.ac.in; | |
} | |
error_page 404 /404.html; | |
location = /40x.html { | |
} | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
listen [::]:80; | |
# Logging requests to file | |
access_log /var/log/nginx/dummy.iiit.ac.in.log main; | |
server_name dummy.iiit.ac.in; | |
# These headers are required for redirection and | |
# reverse proxy to work to function properly | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header Host $http_host; | |
# Redirect to cdn.iiit.ac.in if source is not from intranet | |
# Else, serve as a reverse proxy for requests from intranet IPs | |
location ~* \.(zip|gz|tar|bz|rar|7z|xz|pdf|mp4|avi|mov|webm|wmv)$ { | |
if ($external_ip) { | |
return 302 http://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri; | |
} | |
proxy_pass http://dummy.iiit.ac.in; | |
} | |
location / { | |
proxy_pass http://dummy.iiit.ac.in; | |
} | |
} | |
# Simialrly for SSL connections. You can club both of these | |
# configurations if you don't have any special purpose of having | |
# two separate server blocks for SSL and non SSL connections. | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
# Setting SSL certificate and other options | |
ssl_certificate /etc/pki/tls/private/iiit.ac.in.pem; | |
ssl_certificate_key /etc/pki/tls/private/iiit.ac.in.pem; | |
ssl_session_cache shared:SSL:1m; | |
ssl_session_timeout 10m; | |
ssl_ciphers HIGH:!aNULL:!MD5; | |
ssl_prefer_server_ciphers on; | |
access_log /var/log/nginx/dummy.iiit.ac.in_ssl.log main; | |
server_name dummy.iiit.ac.in; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Scheme $scheme; | |
proxy_set_header Host $http_host; | |
location ~* \.(zip|gz|tar|bz|rar|7z|xz|pdf|mp4|avi|mov|webm|wmv)$ { | |
if ($external_ip) { | |
return 302 https://cdn.iiit.ac.in/cdn/dummy.iiit.ac.in$request_uri; | |
} | |
proxy_pass https://dummy.iiit.ac.in; | |
} | |
location / { | |
proxy_pass https://dummy.iiit.ac.in; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rm -f /etc/nginx/nginx.conf | |
ln -s ./nginx.conf /etc/nginx/nginx.conf | |
ln -s ./dummy /etc/nginx/conf.d/dummy | |
echo "MAILTO="srisai.poonganam@research.iiit.ac.in" >| /var/spool/cron/root | |
echo "*/30 * * * * /root/proxypass_config/proxypass_config.sh" >> /var/spool/cron/root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
touch /var/log/proxypass_config.log | |
mkdir -p /var/lib/proxypass_config | |
touch /var/lib/proxypass_config/checksum | |
data_dir="/etc/nginx/conf.d" | |
to="srisai.poonganam@research.iiit.ac.in" | |
# Check if dig is available | |
if yum list installed "bind-utils" >/dev/null 2>&1; then | |
: | |
else | |
error="`date` bind-utils package is not found. We need dig!" | |
echo $error >> /var/log/proxypass_config.log | |
echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Package not found" $to | |
exit | |
fi | |
# Fetch AXFR record | |
axfr_record=`dig @ns.iiit.ac.in axfr iiit.ac.in +noall +answer | awk '{if(($5 == "196.12.53.52" || $5 == "196.12.53.50") && $4 == "A") print $1}' | sed 's/.$//'` | |
# Check fetched AXFR record | |
if [[ ${#axfr_record[@]} -lt 1 ]]; then | |
error="`date` No records obtained from ns.iiit.ac.in!" | |
echo $error >> /var/log/proxypass_config.log | |
echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed obtaining records" $to | |
exit | |
fi | |
# Generate Nginx config | |
rm -f $data_dir/*.iiit.ac.in.conf | |
for domain in $axfr_record | |
do | |
cp $data_dir/dummy $data_dir/$domain.conf | |
sed -i -- "s/dummy.iiit.ac.in/$domain/g" $data_dir/$domain.conf | |
done | |
# Fetch CNAME records and Generate config | |
cname_records=`dig +noall +answer @ns.iiit.ac.in axfr iiit.ac.in | awk '{if($4 == "CNAME") print $1}' | sed 's/.$//'` | |
for cname in $cname_records | |
do | |
record_name=`dig +noall +answer $cname @ns.iiit.ac.in | tr '\n' ' ' | awk '{if ($10 == "196.12.53.52" || $10 == "196.12.53.50") print $1}' | sed 's/.$//'` | |
if [[ "$cname" == "$record_name" ]]; | |
then | |
cp $data_dir/dummy $data_dir/$cname.conf | |
sed -i -- "s/dummy.iiit.ac.in/$cname/g" $data_dir/$cname.conf | |
fi | |
done | |
log="`date` Config generated successfully" | |
echo $log >> /var/log/proxypass_config.log | |
# Generate required md5 checksum of directory | |
old_checksum=`cat /var/lib/proxypass_config/checksum` | |
new_checksum=`find $data_dir -type f -exec md5sum {} \; | sort -k 2 | md5sum | awk '{print $1}'` | |
# Restart Nginx if changes are found | |
if [ "$old_checksum" != "$new_checksum" ]; then | |
# Check Nginx config for errors | |
if /usr/sbin/nginx -t >/dev/null 2>&1; then | |
: | |
else | |
error=$(/usr/sbin/nginx -t 2>&1) | |
echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Nginx config test failed" $to | |
exit | |
fi | |
# Restart Nginx to reflect changes | |
if systemctl restart nginx >/dev/null 2>&1; then | |
echo $new_checksum >| /var/lib/proxypass_config/checksum | |
else | |
error=$(systemctl status nginx 2>&1) | |
echo "`date` Failed to reload Nginx!" >> /var/log/proxypass_config.log | |
echo $error | mailx -r "proxypass@iiit.ac.in" -s "[Error] Failed to start Nginx" $to | |
exit | |
fi | |
else | |
log="`date` No changes detected" | |
echo $log >> /var/log/proxypass_config.log | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment