Forked from igal-getrailo/1 nginx-railo.conf
Created May 23, 2014 11:23
#### this is the main config file for nginx, to specify it from the command line, use the -c switch, e.g
#### nginx.exe -c nginx-railo.conf
##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />
#user nobody;
#pid logs/;
error_log logs/error.log;
worker_processes 1; ## set to number of CPU cores
events { worker_connections 1024; }
http {
include conf/mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
gzip_types application/javascript text/css; ## gzip js, css (html is enabled by default)
#tcp_nopush on;
keepalive_timeout 65;
index index.htm index.cfm index.html; ## default welcome documents
error_page 404 /404.cfm?uri=$request_uri; ## direct errors to Railo and pass original uri
error_page 500 /500.cfm?uri=$request_uri;
error_page 503 /503.cfm?uri=$request_uri;
error_page 403 /404.cfm?uri=$request_uri; ## show forbidden as innocent 404
server_tokens off; ## do not send nginx version
add_header X-Frame-Options SAMEORIGIN; ## security headers, see
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
upstream railo_servers {
ip_hash; ##
#server; ## add more application servers below for load balancing
keepalive 32; ## number of upstream connections to keep alive
proxy_connect_timeout 30; ## connection timeout for proxy servers in seconds - max 75
## add website-specific configurations below
include nginx-site-site1.conf;
#include nginx-site-site2.conf; ## add more sites as needed
## default http server to handle request to unmapped hosts
server {
listen 80;
## log settings
log_format standard_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format upstream_log_format '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$upstream_addr $upstream_status $upstream_response_time"';
access_log logs/$host-access.log standard_log_format; ## use upstream_log_format when clustering to see which application server the request was routed to
#### this file should be included in the server section of each site that should proxy to Railo #####
### Security begin
location ~ /META-INF/ { return 404; }
location ~ /WEB-INF/ { return 404; }
location ~ \.config$ { return 404; }
location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
location ~ ~$ { return 404; }
location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
location ~ \.php$ { return 404; }
## Railo admin
location ~* /railo-context/(admin|doc)/ {
## IP security - add allow entries as needed
#allow; ## set your ip here and remove comment mark
#deny; ## deny gateway
#allow; ## allow local network
allow ::1; ## allow local IPs and deny all others
deny all;
#gzip off;
proxy_pass http://railo_servers;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
### Security end
### Proxy .cfm etc to Railo Servers
location ~ \.(cfm|cfc|cfs|jsp|htm)$ {
#gzip off;
proxy_pass http://railo_servers;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## CGI.REMOTE_ADDR
proxy_set_header X-Forwarded-Proto $scheme; ## CGI.SERVER_PORT_SECURE
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
#### create a file like this one for each website and include it in nginx-railo.conf
server {
include nginx-railo-proxy.conf; ## include the proxy config file
root C:/inetpub/wwwroot/site1;
listen 80;
#listen; ## use this instead if you want to listen on specific ip
#server_name localhost.site1; ## enable to serve only specific hosts
location / {
try_files $uri $uri/ @rewrite-rules;
location @rewrite-rules {
## add rewrite rules as needed
#rewrite ^/index/(.*)/(.*)/? /index.cfm?p1=$1&p2=$2 last;
### add expires headers for static files
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires 30d;
## to restrict access to a specific directory use the example below
#location ~* /restricted-access/ {
#allow; ## set your ip here and remove comment mark
#deny; ## deny gateway
#allow; ## allow local network
#allow ::1; ## allow local IPs and deny all others
#deny all;
## to define a virtual folder use the example below
#location ~ ^/shared/(.*)$ {
# alias C:/inetpub/wwwroot/shared/;
### ssl settings begin -- enable for sites that should use ssl
#listen 443 ssl;
#ssl_certificate sslcert.pem; ## this must point to a valid .crt or .pem file
#ssl_certificate_key sslcert.pem; ## the key may be stored in the .pem file
## ssl_session_cache shared:SSL:1m; ## The cache and other modules which require shared memory support do not work on Windows Vista and later versions due to address space layout randomization being enabled in these Windows versions.
#ssl_session_timeout 5m;
#ssl_prefer_server_ciphers on;
### ssl settings end
## redirect non-www to www
#server {
# listen;
# server_name;
# return 301 $scheme://$request_uri;
