nathan-muir/sites-enabled-meteor Secret

## sites-enabled-meteor
map $http_upgrade $connection_upgrade {
    default   upgrade;
    ''        close;
}

upstream meteor {
  server 127.0.0.1:8080;
}

server_tokens off;
resolver                   8.8.8.8 valid=300s;
resolver_timeout           10s;
proxy_cache_path           /tmp/cache levels=1:2 keys_zone=S3_CACHE:10m inactive=48h max_size=1000m;
proxy_temp_path            /tmp/cache/temp;

server {
  listen 80;
  server_name mysite.com;
  return 301 https://mysite.com$request_uri;
}

server {
  listen 443 ssl default deferred spdy;

  server_name localhost mysite.com;

  ssl_certificate /etc/nginx/ssl/mysite.com.crt;
  ssl_certificate_key /etc/nginx/ssl/mysite.com.key;

  # enable session resumption to improve https performance
  # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 5m;


  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  # enables server-side protection from BEAST attacks
  # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  ssl_prefer_server_ciphers on;
  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # ciphers chosen for forward secrecy and compatibility
  # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

  gzip on;
  gzip_disable "msie6";
  gzip_min_length 1100;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

  location = /robots.txt  {
    root /var/app/msite.com/www/programs/web.browser/app;
    access_log off;
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public";
  }

  location = /favicon.ico { access_log off; log_not_found off; }

  # this is any assets that belong in packages
  location /packages/ {
    root /var/app/msite.com/www/programs/web.browser;
    access_log off;
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public";
  }

  # this is for the main css & js
  location ~* "^/[a-z0-9]{40}\.(css|js)$" {
    root /var/app/msite.com/www/programs/web.browser;
    access_log off;
    expires max;
    add_header Pragma public;
    add_header Cache-Control "public";
  }

  # this is for any sockets
  location /sockjs/ {
    proxy_pass http://meteor;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }

  location ~* /user-content/(.*) {
    limit_except GET {
      deny   all;
    }

    proxy_set_header       Host 's3.amazonaws.com';
    proxy_set_header       Authorization '';
    proxy_hide_header      x-amz-id-2;
    proxy_hide_header      x-amz-request-id;
    proxy_hide_header      Set-Cookie;
    proxy_ignore_headers   "Set-Cookie";
    proxy_intercept_errors on;

    proxy_cache            S3_CACHE;
    proxy_cache_valid      200 24h;
    proxy_cache_valid      403 15m;
    proxy_cache_bypass     $http_cache_purge;
    add_header             X-Cached $upstream_cache_status;

    proxy_http_version     1.1;
    proxy_set_header       Connection "";
    proxy_pass             http://s3.amazonaws.com/mybucket/$1;
  }

  location / {
    proxy_pass http://meteor;
    add_header X-Meteor "1";
    expires -1;
  }

}
	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	upstream meteor {
	server 127.0.0.1:8080;
	}

	server_tokens off;
	resolver 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	proxy_cache_path /tmp/cache levels=1:2 keys_zone=S3_CACHE:10m inactive=48h max_size=1000m;
	proxy_temp_path /tmp/cache/temp;

	server {
	listen 80;
	server_name mysite.com;
	return 301 https://mysite.com$request_uri;
	}

	server {
	listen 443 ssl default deferred spdy;

	server_name localhost mysite.com;

	ssl_certificate /etc/nginx/ssl/mysite.com.crt;
	ssl_certificate_key /etc/nginx/ssl/mysite.com.key;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;


	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	gzip on;
	gzip_disable "msie6";
	gzip_min_length 1100;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	location = /robots.txt {
	root /var/app/msite.com/www/programs/web.browser/app;
	access_log off;
	expires max;
	add_header Pragma public;
	add_header Cache-Control "public";
	}

	location = /favicon.ico { access_log off; log_not_found off; }

	# this is any assets that belong in packages
	location /packages/ {
	root /var/app/msite.com/www/programs/web.browser;
	access_log off;
	expires max;
	add_header Pragma public;
	add_header Cache-Control "public";
	}

	# this is for the main css & js
	location ~* "^/[a-z0-9]{40}\.(css\|js)$" {
	root /var/app/msite.com/www/programs/web.browser;
	access_log off;
	expires max;
	add_header Pragma public;
	add_header Cache-Control "public";
	}

	# this is for any sockets
	location /sockjs/ {
	proxy_pass http://meteor;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	}

	location ~* /user-content/(.*) {
	limit_except GET {
	deny all;
	}

	proxy_set_header Host 's3.amazonaws.com';
	proxy_set_header Authorization '';
	proxy_hide_header x-amz-id-2;
	proxy_hide_header x-amz-request-id;
	proxy_hide_header Set-Cookie;
	proxy_ignore_headers "Set-Cookie";
	proxy_intercept_errors on;

	proxy_cache S3_CACHE;
	proxy_cache_valid 200 24h;
	proxy_cache_valid 403 15m;
	proxy_cache_bypass $http_cache_purge;
	add_header X-Cached $upstream_cache_status;

	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_pass http://s3.amazonaws.com/mybucket/$1;
	}

	location / {
	proxy_pass http://meteor;
	add_header X-Meteor "1";
	expires -1;
	}

	}