-
-
Save mrcnkoba/0c4447c70e313a2ed1d7e94e1dad48a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
limit_req_zone $http_Authorization zone=public_api:10m rate=8r/s; | |
# api | |
server { | |
server_name api.example.com; | |
include /srv/server-configs/nginx-conf/includes/vars.partial-conf; | |
location = / { | |
return 307 https://example.com/docs/?ref=api.example.com; | |
} | |
location / { | |
rewrite ^/(.*) /public_api/$1 break; | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} | |
location ~ ^/v1/[^/]+/files { | |
rewrite ^/(.*) /public_api/$1 break; | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
client_max_body_size 100M; | |
} | |
# logging | |
error_log /var/log/nginx/error-api.log; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $http_cf_connecting_ip $host_if_sourcemaps_blocked { | |
default app.example.com; | |
142.4.218.95 trackjs-allowed; | |
167.114.172.73 trackjs-allowed; | |
198.27.94.180 trackjs-allowed; | |
128.199.37.136 trackjs-allowed; | |
} | |
server { | |
server_name app.example.com; | |
root /var/www/app; | |
location ~ \.map$ { | |
if ($host = $host_if_sourcemaps_blocked) { | |
return 403; | |
} | |
} | |
include /srv/server-configs/nginx-conf/includes/vars.partial-conf; | |
include /srv/server-configs/nginx-conf/generated-includes/app.include; | |
# logging | |
error_log /var/log/nginx/error-app.log; | |
access_log /var/log/nginx/access-app.log; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location = / { | |
return 307 $root_redirect_url; | |
} | |
location /api/public/email/inbound { | |
client_max_body_size 200M; | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} | |
location ~ ^/(__assets)/ { # Directly serve assets via nginx | |
try_files $uri $uri/ =404; | |
} | |
location ~ version\.txt { # Directly serve assets via nginx | |
try_files $uri $uri/ =404; | |
} | |
location ~ socket/longpoll { # Backend (WS) | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} | |
location ~ socket/websocket { # Backend (WS) | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
# socket related settings | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
location ~ ^/(app|__render|__buffer)/ { # Renderer | |
# Lifted from https://enable-cors.org/server_nginx.html | |
if ($request_method = 'OPTIONS') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS'; | |
# | |
# Custom headers and headers various browsers *should* be OK with but aren't | |
# | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; | |
# | |
# Tell client that this pre-flight info is valid for 20 days | |
# | |
add_header 'Access-Control-Max-Age' 1728000; | |
add_header 'Content-Type' 'text/plain; charset=utf-8'; | |
add_header 'Content-Length' 0; | |
return 204; | |
} | |
if ($request_method = 'POST') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; | |
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; | |
} | |
if ($request_method = 'GET') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Methods' 'GET, PATCH, PUT, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; | |
add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range'; | |
} | |
proxy_pass http://$renderer_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
add_header Content-Security-Policy "default-src https://$csp_host https://*.$csp_host wss://$csp_host wss://*.$csp_host https://firebasestorage.googleapis.com 'unsafe-inline' https://*.trackjs.com; font-src https: data:; img-src 'self' http: https: data: blob:; style-src https: data: 'unsafe-inline'; object-src 'none';"; | |
add_header X-Frame-Options ""; | |
} | |
location / { | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
server_name cdn.example.com; | |
root /var/www/cdn; | |
location ~ ^/bundle\.js$ { | |
etag on; | |
add_header Cache-Control "public, s-maxage=600, max-age=0, must-revalidate"; | |
add_header Expires "Thu, 01 Jan 1970 00:00:01 GMT"; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
server_name example.com; | |
root /var/www/example; | |
include /srv/server-configs/nginx-conf/includes/vars.partial-conf; | |
location / { | |
proxy_pass http://127.0.0.1:8080; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} | |
location ~ ^/dashboard { # Backend | |
proxy_pass http://$backend_host; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; | |
} | |
location ~ ^/blog { # Wordpress | |
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf; | |
} | |
location ~ ^/knowledge-base { # Wordpress | |
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf; | |
} | |
location ~ ^/tutorials { # Wordpress | |
include /srv/server-configs/nginx-conf/includes/pass-to-wordpress.partial-conf; | |
} | |
# logging | |
error_log /var/log/nginx/error-root.log; | |
# redirects | |
rewrite ^/admin(/.*)?$ /dashboard$2 redirect; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes auto; | |
worker_rlimit_nofile 50000; | |
pid /run/nginx.pid; | |
events { | |
worker_connections 25000; | |
use epoll; | |
multi_accept on; | |
} | |
http { | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
ssl_prefer_server_ciphers on; | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
gzip on; | |
gzip_disable "msie6"; | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_pass http://127.0.0.1:50000; | |
proxy_set_header Host $http_host; | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
proxy_pass http://$wordpress:80 | |
proxy_redirect http://$wordpress/ /; | |
client_max_body_size 10M; | |
# not setting Host when proxying outside this server because that causes nginx to infloop | |
# see https://stackoverflow.com/questions/32362396/nginx-reverse-proxy-causing-infinite-loop | |
proxy_set_header X-Real-IP $remote_addr; # pass on real client's IP | |
proxy_set_header X-Forwarded-Host $http_host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_read_timeout 900; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
set $csp_host example.com; | |
set $root_redirect_url https://example.com/?ref=app.example.com; | |
set $backend_host 127.0.0.1:60000; | |
set $renderer_host 127.0.0.1:50000; | |
set $wordpress <some_ip_that_we_hid> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment