Skip to content

Instantly share code, notes, and snippets.

@mrcnkoba
Last active Dec 10, 2019
Embed
What would you like to do?
limit_req_zone $http_Authorization zone=public_api:10m rate=8r/s;
# api
server {
server_name api.example.com;
include /srv/server-configs/nginx-conf/includes/vars.partial-conf;
location = / {
return 307 https://example.com/docs/?ref=api.example.com;
}
location / {
rewrite ^/(.*) /public_api/$1 break;
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location ~ ^/v1/[^/]+/files {
rewrite ^/(.*) /public_api/$1 break;
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
client_max_body_size 100M;
}
# logging
error_log /var/log/nginx/error-api.log;
}
map $http_cf_connecting_ip $host_if_sourcemaps_blocked {
default app.example.com;
142.4.218.95 trackjs-allowed;
167.114.172.73 trackjs-allowed;
198.27.94.180 trackjs-allowed;
128.199.37.136 trackjs-allowed;
}
server {
server_name app.example.com;
root /var/www/app;
location ~ \.map$ {
if ($host = $host_if_sourcemaps_blocked) {
return 403;
}
}
include /srv/server-configs/nginx-conf/includes/vars.partial-conf;
include /srv/server-configs/nginx-conf/generated-includes/app.include;
# logging
error_log /var/log/nginx/error-app.log;
access_log /var/log/nginx/access-app.log;
}
location = / {
return 307 $root_redirect_url;
}
location /api/public/email/inbound {
client_max_body_size 200M;
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location ~ ^/(__assets)/ { # Directly serve assets via nginx
try_files $uri $uri/ =404;
}
location ~ version\.txt { # Directly serve assets via nginx
try_files $uri $uri/ =404;
}
location ~ socket/longpoll { # Backend (WS)
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location ~ socket/websocket { # Backend (WS)
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
# socket related settings
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/(app|__render|__buffer)/ { # Renderer
# Lifted from https://enable-cors.org/server_nginx.html
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS';
#
# Custom headers and headers various browsers *should* be OK with but aren't
#
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
#
# Tell client that this pre-flight info is valid for 20 days
#
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Content-Type' 'text/plain; charset=utf-8';
add_header 'Content-Length' 0;
return 204;
}
if ($request_method = 'POST') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
if ($request_method = 'GET') {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
}
proxy_pass http://$renderer_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
add_header Content-Security-Policy "default-src https://$csp_host https://*.$csp_host wss://$csp_host wss://*.$csp_host https://firebasestorage.googleapis.com 'unsafe-inline' https://*.trackjs.com; font-src https: data:; img-src 'self' http: https: data: blob:; style-src https: data: 'unsafe-inline'; object-src 'none';";
add_header X-Frame-Options "";
}
location / {
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
server {
server_name cdn.example.com;
root /var/www/cdn;
location ~ ^/bundle\.js$ {
etag on;
add_header Cache-Control "public, s-maxage=600, max-age=0, must-revalidate";
add_header Expires "Thu, 01 Jan 1970 00:00:01 GMT";
}
server {
server_name example.com;
root /var/www/example;
include /srv/server-configs/nginx-conf/includes/vars.partial-conf;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location ~ ^/dashboard { # Backend
proxy_pass http://$backend_host;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
}
location ~ ^/blog { # Wordpress
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf;
}
location ~ ^/knowledge-base { # Wordpress
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf;
}
location ~ ^/tutorials { # Wordpress
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf;
}
# logging
error_log /var/log/nginx/error-root.log;
# redirects
rewrite ^/admin(/.*)?$ /dashboard$2 redirect;
}
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
user www-data;
worker_processes auto;
worker_rlimit_nofile 50000;
pid /run/nginx.pid;
events {
worker_connections 25000;
use epoll;
multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
proxy_pass http://127.0.0.1:50000;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
proxy_pass http://$wordpress:80
proxy_redirect http://$wordpress/ /;
client_max_body_size 10M;
# not setting Host when proxying outside this server because that causes nginx to infloop
# see https://stackoverflow.com/questions/32362396/nginx-reverse-proxy-causing-infinite-loop
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 900;
set $csp_host example.com;
set $root_redirect_url https://example.com/?ref=app.example.com;
set $backend_host 127.0.0.1:60000;
set $renderer_host 127.0.0.1:50000;
set $wordpress <some_ip_that_we_hid>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment