kelexel/cors2.inc

## cors2.inc
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;


if ($http_origin ~* ^http(?:s)*?://(?:w[0-9]-)*(?:ovh-cache|ovh-cdn|manager|push|cache|cdn).*(?:domain\.net)(?::[0-9]+)? )  {
    set $cors 'true';
}


# test for empty variables will default to 'testtrue'

set $cors_allow_origin_test "test${cors}${cors_allow_origin}";
set $cors_allow_credentials_test "test${cors}${cors_allow_credentials}";
set $cors_allow_headers_test "test${cors}${cors_allow_headers}";
set $cors_allow_methods_test "test${cors}${cors_allow_methods}";
set $cors_max_age_test "test${cors}${cors_max_age}";

set $cors_debug "false";

if ($cors_allow_origin_test = 'testtrue') {
  set $cors_allow_origin "$http_origin";
}

if ($cors_allow_credentials_test = 'testtrue' ) {
  set $cors_allow_credentials 'true';
}

if ($cors_allow_headers_test = 'testtrue') {
  set $cors_allow_headers 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-Request';
}

if ($cors_allow_methods_test = 'testtrue') {
  set $cors_allow_methods 'GET, POST, OPTIONS';
}

if ($cors_max_age_test = 'testtrue') {
  set $cors_max_age 172800;
}

if ($request_method = 'GET') {
  set $cors_method "${cors}get";
  # Blank out headers we don't need
  set $cors_allow_headers '';
  set $cors_allow_methods '';
  set $cors_max_age '';
}

if ($request_method = 'POST') {
  set $cors_method "${cors}post";
  # Blank out headers we don't need
  set $cors_allow_headers '';
  set $cors_allow_methods '';
  set $cors_max_age '';
}

if ($request_method = 'OPTIONS') {
  set $cors_method "${cors}options";
}

# Headers valid for GET/POST/OPTIONS
# add_header 'DEBUG-CORS-ON' $cors;
# add_header 'DEBUG-CORS-ORIGIN' $cors_allow_origin;
# add_header 'Access-Control-Allow-Origin' $cors_allow_origin;
# add_header 'Access-Control-Allow-Credentials' $cors_allow_credentials;
#
# # Headers valid for OPTIONS
# add_header 'Access-Control-Max-Age' $cors_max_age;
# add_header 'Access-Control-Allow-Methods' $cors_allow_methods;
# add_header 'Access-Control-Allow-Headers' $cors_allow_headers;
# # Headers valid for GET/POST/OPTIONS

more_set_headers 'DEBUG-CORS-ON: $cors';
more_set_headers 'DEBUG-CORS-ORIGIN: $cors_allow_origin';
more_set_headers 'Access-Control-Allow-Origin: $cors_allow_origin';
more_set_headers 'Access-Control-Allow-Credentials: $cors_allow_credentials';

# Headers valid for OPTIONS
more_set_headers 'Access-Control-Max-Age: $cors_max_age';
more_set_headers 'Access-Control-Allow-Methods: $cors_allow_methods';
more_set_headers 'Access-Control-Allow-Headers: $cors_allow_headers';

if ($cors_method = 'trueoptions') {
    return 204;
}

## domain.conf
server {
  listen 80;
  server_name cache.domain.net ovh-cache.domain.net w2-cache.domain.net w3-cache.domain.net w4-cache.domain.net w5-cache.domain.net w6-cache.domain.net edge-cache.domain.net;
  location / {
    return 301 https://$server_name$request_uri;
  }
}

server {
  listen 443 ssl;

  root /home/www/domain/sources/app/domain/htdocs-manager;
  index index.html;

  server_name cache.domain.net ovh-cache.domain.net w2-cache.domain.net w3-cache.domain.net w4-cache.domain.net w5-cache.domain.net w6-cache.domain.net edge-cache.domain.net cache.domain.lan.new-net.net;

  ssl_certificate      ssl/domain.pem;
  ssl_certificate_key  ssl/domain.key;

  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;

  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;


  access_log /var/log/nginx/cache.domain.net-access.log;
  error_log /var/log/nginx/cache.domain.net-error.log;
  # rewrite_log on;
  include /usr/local/etc/nginx/vhosts/https/cors2.inc;

  location ~* "(/cache/vault/[a-z0-9]{32}/images)" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    access_log off;
    log_not_found off;
    rewrite_log off;
    error_log /var/log/nginx/cache.domain.net-images-error.log;
    rewrite "^(/cache/vault/[a-z0-9]{32}/images/)([a-z]{2,3}_[a-z0-9-]*)*([a-z0-9])([a-z0-9])([a-z0-9])([a-z0-9]{29})(\.jpg|\.png|\.gif|\.jpeg)$"  /cache/vault/images/$3/$4/$5/$3$4$5$6/$2$3$4$5$6$7 break;
  }

  location ~* "(?:/cache/vault/[a-z0-9]{32}/presentations)" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    access_log off;
    log_not_found off;
    rewrite_log off;
    error_log /var/log/nginx/cache.domain.net-presentations-error.log;
    error_page 405 =200 $uri;
    rewrite "^(/cache/vault/[a-z0-9]{32}/presentations/converted/)([a-z0-9]{1})([a-z0-9]{1})([a-z0-9]{1})([a-z0-9]{29})/((?:[0-9]{1,}/)*(?:[a-zA-Z0-9\._-]*)[\.jpg|\.png|\.gif|\.jpeg|\.JSON5])$" /cache/vault/presentations/$2/$3/$4/$2$3$4$5/converted/$6 break;
  }

  location ~* "(?:/cache/vault/[a-z0-9]{32}/slides)" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;

    access_log off;
    log_not_found off;
    rewrite_log off;
    rewrite "^(?:/cache/vault/)([A-Za-z0-9]{32})/slides/([A-Za-z0-9]{32})/([A-Za-z0-9]{32}(?:\.jpg|\.png|\.gif|\.jpeg))$" /cache/events/$1/slides/$2/$3 break;
    error_log /var/log/nginx/cache.domain.net-slides-error.log;
  }

  location / {
    return 404;
  }

  location ~* "(?:/cache/vault/themes/([a-z0-9]{32}/public\.css))" {
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    # proxy_no_cache 1;
    # expires off;
    access_log off;
    log_not_found off;
    try_files /cache/themes/$1 /assets/css/public_default.css;
  }

  location ~* "(?:/cache/vault/themes/([a-z0-9]{32}/display\.css))" {
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    # proxy_no_cache 1;
    # expires off;
    access_log off;
    log_not_found off;
    try_files /cache/themes/$1 /assets/css/display_default.css;
  }

  location ~* "(?:/cache/vault/themes/[a-z0-9]{32}/images)" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    access_log off;
    log_not_found off;
    # rewrite_log off;
    rewrite "^(?:/cache/vault/themes/)([A-Za-z0-9]{32})/images/([a-z]{0,3}_[a-z]{2,3}-){0,1}(([A-Za-z0-9])([A-Za-z0-9])([A-Za-z0-9])[A-Za-z0-9]{29})(\.jpg|\.png|\.gif|\.jpeg)" /cache/vault/images/$4/$5/$6/$3/$3$7 break;
    error_log /var/log/nginx/cache.domain.net-themes-error.log;
  }

  location ~* "(?:/cache/vault/[a-z0-9]{32}/assets)" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    access_log off;
    log_not_found off;
    # rewrite_log on;
    rewrite "^(?:/cache/vault/[a-z0-9]{32}/assets/(images/[a-z]*/[a-z0-9_]*(?:\.jpg|\.png|\.gif|\.jpeg)))$" /assets/$1 break;
    error_log /var/log/nginx/cache.domain.net-assets-error.log;
  }

  location ~* "(?:/cache/i18n/(.*)(?:\?.*))" {
    # include /usr/local/etc/nginx/vhosts/https/cors.inc;
    # expires 1M;
    root /home/www/domain/sources/app/domain/htdocs-manager;
    try_files /cache/i18n/$1
    access_log off;
    log_not_found off;
    error_log /var/log/nginx/cache.domain.net-i18n-error.log;
  }

  # Media: images, icons, video, audio, HTC
  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff|woff2|ttf|eot)$ {
    expires 1M;
    access_log off;
    # add_header Cache-Control "public";
  }

  location ~* \.(?:json|json5)$ {
    expires 5m;
    access_log off;
    # add_header Cache-Control "public";
  }

  # CSS and Javascript
  location ~* \.(?:css|js)$ {
    expires 10m;
    access_log off;
    # add_header Cache-Control "public";
  }
  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }

  location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
    deny all;
  }
  location ~ ^/(bin|SQL)/ {
    deny all;
  }
  # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
  location ~ /\. {
    deny all;
    access_log off;
    log_not_found off;
  }

}

## nginx.conf
load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
pid /var/run/nginx.pid;
user  nobody;
worker_processes 4;

error_log /var/log/nginx-error.log warn;


worker_rlimit_nofile 65535;
events {
  worker_connections 8096;
  multi_accept on;
}

http {
  access_log off;

  include       /usr/local/etc/nginx/mime.types;
  server_tokens off;

  sendfile    on;
  tcp_nopush   on;
  gzip on;
  gzip_vary on;
  gzip_types
   application/atom+xml
   application/javascript
   application/x-javascript
   application/json
   application/ld+json
   application/manifest+json
   application/rss+xml
   application/x-web-app-manifest+json
   application/xhtml+xml
   application/xml
   font/opentype
   image/png
   image/gif
   image/bmp
   image/svg+xml
   image/x-icon
   text/cache-manifest
   text/css
   text/plain
   text/x-component
   text/x-cross-domain-policy
   application/x-font-ttf
   application/x-font-truetype
   application/x-font-opentype
   application/font-woff
   application/font-woff2
   application/vnd.ms-fontobject
   application/font-sfnt
   ;

  gzip_disable "MSIE [1-6]\.";

  fastcgi_read_timeout 300;
  client_max_body_size 300M;
  client_body_buffer_size 128k;
  # proxy_read_timeout 240;
  proxy_connect_timeout   240s;
  proxy_read_timeout        240s;
  proxy_send_timeout        240s;

  include /usr/local/etc/nginx/vhosts/_HTTP_PROTOCOL_/*.conf;
}
	# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;


	if ($http_origin ~* ^http(?:s)?://(?:w[0-9]-)(?:ovh-cache\|ovh-cdn\|manager\|push\|cache\|cdn).*(?:domain\.net)(?::[0-9]+)? ) {
	set $cors 'true';
	}


	# test for empty variables will default to 'testtrue'

	set $cors_allow_origin_test "test${cors}${cors_allow_origin}";
	set $cors_allow_credentials_test "test${cors}${cors_allow_credentials}";
	set $cors_allow_headers_test "test${cors}${cors_allow_headers}";
	set $cors_allow_methods_test "test${cors}${cors_allow_methods}";
	set $cors_max_age_test "test${cors}${cors_max_age}";

	set $cors_debug "false";

	if ($cors_allow_origin_test = 'testtrue') {
	set $cors_allow_origin "$http_origin";
	}

	if ($cors_allow_credentials_test = 'testtrue' ) {
	set $cors_allow_credentials 'true';
	}

	if ($cors_allow_headers_test = 'testtrue') {
	set $cors_allow_headers 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since,X-Request';
	}

	if ($cors_allow_methods_test = 'testtrue') {
	set $cors_allow_methods 'GET, POST, OPTIONS';
	}

	if ($cors_max_age_test = 'testtrue') {
	set $cors_max_age 172800;
	}

	if ($request_method = 'GET') {
	set $cors_method "${cors}get";
	# Blank out headers we don't need
	set $cors_allow_headers '';
	set $cors_allow_methods '';
	set $cors_max_age '';
	}

	if ($request_method = 'POST') {
	set $cors_method "${cors}post";
	# Blank out headers we don't need
	set $cors_allow_headers '';
	set $cors_allow_methods '';
	set $cors_max_age '';
	}

	if ($request_method = 'OPTIONS') {
	set $cors_method "${cors}options";
	}

	# Headers valid for GET/POST/OPTIONS
	# add_header 'DEBUG-CORS-ON' $cors;
	# add_header 'DEBUG-CORS-ORIGIN' $cors_allow_origin;
	# add_header 'Access-Control-Allow-Origin' $cors_allow_origin;
	# add_header 'Access-Control-Allow-Credentials' $cors_allow_credentials;
	#
	# # Headers valid for OPTIONS
	# add_header 'Access-Control-Max-Age' $cors_max_age;
	# add_header 'Access-Control-Allow-Methods' $cors_allow_methods;
	# add_header 'Access-Control-Allow-Headers' $cors_allow_headers;
	# # Headers valid for GET/POST/OPTIONS

	more_set_headers 'DEBUG-CORS-ON: $cors';
	more_set_headers 'DEBUG-CORS-ORIGIN: $cors_allow_origin';
	more_set_headers 'Access-Control-Allow-Origin: $cors_allow_origin';
	more_set_headers 'Access-Control-Allow-Credentials: $cors_allow_credentials';

	# Headers valid for OPTIONS
	more_set_headers 'Access-Control-Max-Age: $cors_max_age';
	more_set_headers 'Access-Control-Allow-Methods: $cors_allow_methods';
	more_set_headers 'Access-Control-Allow-Headers: $cors_allow_headers';

	if ($cors_method = 'trueoptions') {
	return 204;
	}
	server {
	listen 80;
	server_name cache.domain.net ovh-cache.domain.net w2-cache.domain.net w3-cache.domain.net w4-cache.domain.net w5-cache.domain.net w6-cache.domain.net edge-cache.domain.net;
	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	server {
	listen 443 ssl;

	root /home/www/domain/sources/app/domain/htdocs-manager;
	index index.html;

	server_name cache.domain.net ovh-cache.domain.net w2-cache.domain.net w3-cache.domain.net w4-cache.domain.net w5-cache.domain.net w6-cache.domain.net edge-cache.domain.net cache.domain.lan.new-net.net;

	ssl_certificate ssl/domain.pem;
	ssl_certificate_key ssl/domain.key;

	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout 5m;

	ssl_ciphers HIGH:!aNULL:!MD5;
	ssl_prefer_server_ciphers on;


	access_log /var/log/nginx/cache.domain.net-access.log;
	error_log /var/log/nginx/cache.domain.net-error.log;
	# rewrite_log on;
	include /usr/local/etc/nginx/vhosts/https/cors2.inc;

	location ~* "(/cache/vault/[a-z0-9]{32}/images)" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	access_log off;
	log_not_found off;
	rewrite_log off;
	error_log /var/log/nginx/cache.domain.net-images-error.log;
	rewrite "^(/cache/vault/[a-z0-9]{32}/images/)([a-z]{2,3}_[a-z0-9-])([a-z0-9])([a-z0-9])([a-z0-9])([a-z0-9]{29})(\.jpg\|\.png\|\.gif\|\.jpeg)$" /cache/vault/images/$3/$4/$5/$3$4$5$6/$2$3$4$5$6$7 break;
	}

	location ~* "(?:/cache/vault/[a-z0-9]{32}/presentations)" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	access_log off;
	log_not_found off;
	rewrite_log off;
	error_log /var/log/nginx/cache.domain.net-presentations-error.log;
	error_page 405 =200 $uri;
	rewrite "^(/cache/vault/[a-z0-9]{32}/presentations/converted/)([a-z0-9]{1})([a-z0-9]{1})([a-z0-9]{1})([a-z0-9]{29})/((?:[0-9]{1,}/)(?:[a-zA-Z0-9\._-])[\.jpg\|\.png\|\.gif\|\.jpeg\|\.JSON5])$" /cache/vault/presentations/$2/$3/$4/$2$3$4$5/converted/$6 break;
	}

	location ~* "(?:/cache/vault/[a-z0-9]{32}/slides)" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;

	access_log off;
	log_not_found off;
	rewrite_log off;
	rewrite "^(?:/cache/vault/)([A-Za-z0-9]{32})/slides/([A-Za-z0-9]{32})/([A-Za-z0-9]{32}(?:\.jpg\|\.png\|\.gif\|\.jpeg))$" /cache/events/$1/slides/$2/$3 break;
	error_log /var/log/nginx/cache.domain.net-slides-error.log;
	}

	location / {
	return 404;
	}

	location ~* "(?:/cache/vault/themes/([a-z0-9]{32}/public\.css))" {
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	# proxy_no_cache 1;
	# expires off;
	access_log off;
	log_not_found off;
	try_files /cache/themes/$1 /assets/css/public_default.css;
	}

	location ~* "(?:/cache/vault/themes/([a-z0-9]{32}/display\.css))" {
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	# proxy_no_cache 1;
	# expires off;
	access_log off;
	log_not_found off;
	try_files /cache/themes/$1 /assets/css/display_default.css;
	}

	location ~* "(?:/cache/vault/themes/[a-z0-9]{32}/images)" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	access_log off;
	log_not_found off;
	# rewrite_log off;
	rewrite "^(?:/cache/vault/themes/)([A-Za-z0-9]{32})/images/([a-z]{0,3}_[a-z]{2,3}-){0,1}(([A-Za-z0-9])([A-Za-z0-9])([A-Za-z0-9])[A-Za-z0-9]{29})(\.jpg\|\.png\|\.gif\|\.jpeg)" /cache/vault/images/$4/$5/$6/$3/$3$7 break;
	error_log /var/log/nginx/cache.domain.net-themes-error.log;
	}

	location ~* "(?:/cache/vault/[a-z0-9]{32}/assets)" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	access_log off;
	log_not_found off;
	# rewrite_log on;
	rewrite "^(?:/cache/vault/[a-z0-9]{32}/assets/(images/[a-z]/[a-z0-9_](?:\.jpg\|\.png\|\.gif\|\.jpeg)))$" /assets/$1 break;
	error_log /var/log/nginx/cache.domain.net-assets-error.log;
	}

	location ~* "(?:/cache/i18n/(.)(?:\?.))" {
	# include /usr/local/etc/nginx/vhosts/https/cors.inc;
	# expires 1M;
	root /home/www/domain/sources/app/domain/htdocs-manager;
	try_files /cache/i18n/$1
	access_log off;
	log_not_found off;
	error_log /var/log/nginx/cache.domain.net-i18n-error.log;
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc\|woff\|woff2\|ttf\|eot)$ {
	expires 1M;
	access_log off;
	# add_header Cache-Control "public";
	}

	location ~* \.(?:json\|json5)$ {
	expires 5m;
	access_log off;
	# add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 10m;
	access_log off;
	# add_header Cache-Control "public";
	}
	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	location ~ ^/(README\|INSTALL\|LICENSE\|CHANGELOG\|UPGRADING)$ {
	deny all;
	}
	location ~ ^/(bin\|SQL)/ {
	deny all;
	}
	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	location ~ /\. {
	deny all;
	access_log off;
	log_not_found off;
	}

	}
	load_module /usr/local/libexec/nginx/ngx_http_headers_more_filter_module.so;
	pid /var/run/nginx.pid;
	user nobody;
	worker_processes 4;

	error_log /var/log/nginx-error.log warn;


	worker_rlimit_nofile 65535;
	events {
	worker_connections 8096;
	multi_accept on;
	}

	http {
	access_log off;

	include /usr/local/etc/nginx/mime.types;
	server_tokens off;

	sendfile on;
	tcp_nopush on;
	gzip on;
	gzip_vary on;
	gzip_types
	application/atom+xml
	application/javascript
	application/x-javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/png
	image/gif
	image/bmp
	image/svg+xml
	image/x-icon
	text/cache-manifest
	text/css
	text/plain
	text/x-component
	text/x-cross-domain-policy
	application/x-font-ttf
	application/x-font-truetype
	application/x-font-opentype
	application/font-woff
	application/font-woff2
	application/vnd.ms-fontobject
	application/font-sfnt
	;

	gzip_disable "MSIE [1-6]\.";

	fastcgi_read_timeout 300;
	client_max_body_size 300M;
	client_body_buffer_size 128k;
	# proxy_read_timeout 240;
	proxy_connect_timeout 240s;
	proxy_read_timeout 240s;
	proxy_send_timeout 240s;

	include /usr/local/etc/nginx/vhosts/_HTTP_PROTOCOL_/*.conf;
	}