nicky-zs/nginx.conf

## nginx.conf
pid        /run/nginx/nginx.pid;
lock_file  /run/nginx/nginx.lock;
error_log  /opt/logs/nginx/error.log  error;

pcre_jit          on
worker_processes  4;
worker_priority   -10;

events {
    worker_connections  4096;
    use epoll;
    multi_accept on;
}

http {
    log_format  main   '[$time_local] $remote_addr "$http_x_forwarded_for" '
                       '$status $scheme "$http_host" "$request" '
                       '"$http_referer" "$http_user_agent" '
                       '$request_length $content_length $bytes_sent $body_bytes_sent '
                       '$request_time $upstream_response_time';

    access_log  /opt/logs/nginx/access.log  main;

    client_body_temp_path  /tmp/nginx/client_body_temp;
    proxy_temp_path        /tmp/nginx/proxy_temp;
    fastcgi_temp_path      /tmp/nginx/fastcgi_temp;
    uwsgi_temp_path        /tmp/nginx/uwsgi_temp;
    scgi_temp_path         /tmp/nginx/scgi_temp;

    include       mime.types;
    default_type  application/octet-stream;

    keepalive_timeout  65;
    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;

    client_body_buffer_size      64k;
    client_max_body_size         64m;
    client_header_buffer_size    1k;
    large_client_header_buffers  4 8k;
    output_buffers               1 32k;
    postpone_output              1460;

    client_header_timeout  10;
    client_body_timeout    10;
    send_timeout           10;

    gzip            on;
    gzip_min_length 860;
    gzip_proxied    expired no-cache no-store private auth;
    gzip_types      text/plain text/css text/xml application/javascript application/json
                    application/atom+xml application/rss+xml application/xhtml+xml;
    gzip_comp_level 6;
    gzip_disable    msie6;

    ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers           ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_session_cache     shared:SSL:20m;
    ssl_session_timeout   180m;
    ssl_prefer_server_ciphers  on;

    proxy_connect_timeout 5s;
    proxy_read_timeout    30s;
    proxy_next_upstream   off;
    proxy_http_version    1.1;
    proxy_set_header      Connection       "";
    proxy_set_header      Host             $host;
    proxy_set_header      X-Real-IP        $remote_addr;
    proxy_set_header      X-Forwarded-For  $proxy_add_x_forwarded_for;

    server_tokens      off;
    more_set_headers   'Server:';

    geo $from_public {
        default         1;
        127.0.0.0/8     0;
        10.0.0.0/8      0;
        100.64.0.0/10   0;
        172.16.0.0/12   0;
        192.168.0.0/16  0;
    }

    server {
        listen       80 default_server;
        access_log   off;

        location / {
            return       444;
        }

        location = /status {
            if ($from_public) {
                return   444;
            }

            default_type   text/plain;
            content_by_lua_block {
                local hc = require "resty.upstream.healthcheck"
                ngx.say("Nginx Worker PID: ", ngx.worker.pid())
                ngx.print(hc.status_page())
            }
        }
    }

    server {
        listen       443 ssl default_server;
        access_log   off;

        ssl_certificate       /opt/certificates/_.pem;
        ssl_certificate_key   /opt/certificates/_.key;

        location / {
            return   444;
        }
    }

    ########## all site config should be in sites-enabled/ ##########
    include sites-enabled/*.conf;

    ########## put health check scripts for all upstreams below ##########
    lua_shared_dict healthcheck_dict 1m;
    lua_socket_log_errors off;

    init_worker_by_lua_block {
        local hc = require "resty.upstream.healthcheck"

        local ok, err = hc.spawn_checker {
           shm = "healthcheck_dict",   -- defined by "lua_shared_dict"
           upstream = "some_upstream", -- defined by "upstream"
           type = "http",

           http_req = "GET /healthcheck HTTP/1.0\r\nHost: upstream.domain\r\n\r\n", -- raw HTTP request for checking

           interval = 1000,  -- run the check cycle every 1 sec
           timeout = 500,   -- 0.5 sec is the timeout for network operations
           fall = 3,  -- # of successive failures before turning a peer down
           rise = 2,  -- # of successive successes before turning a peer up
           valid_statuses = {200, 302},  -- a list valid HTTP status code
           concurrency = 10,  -- concurrency level for test requests
        }
        if not ok then
           ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
        end

        -- Just call hc.spawn_checker() for more times here if you have
        -- more upstream groups to monitor. One call for one upstream group.
        -- They can all share the same shm zone without conflicts but they
        -- need a bigger shm zone for obvious reasons.
    }
    ########## put health check scripts for all upstreams above ##########
}
	pid /run/nginx/nginx.pid;
	lock_file /run/nginx/nginx.lock;
	error_log /opt/logs/nginx/error.log error;

	pcre_jit on
	worker_processes 4;
	worker_priority -10;

	events {
	worker_connections 4096;
	use epoll;
	multi_accept on;
	}

	http {
	log_format main '[$time_local] $remote_addr "$http_x_forwarded_for" '
	'$status $scheme "$http_host" "$request" '
	'"$http_referer" "$http_user_agent" '
	'$request_length $content_length $bytes_sent $body_bytes_sent '
	'$request_time $upstream_response_time';

	access_log /opt/logs/nginx/access.log main;

	client_body_temp_path /tmp/nginx/client_body_temp;
	proxy_temp_path /tmp/nginx/proxy_temp;
	fastcgi_temp_path /tmp/nginx/fastcgi_temp;
	uwsgi_temp_path /tmp/nginx/uwsgi_temp;
	scgi_temp_path /tmp/nginx/scgi_temp;

	include mime.types;
	default_type application/octet-stream;

	keepalive_timeout 65;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	client_body_buffer_size 64k;
	client_max_body_size 64m;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 8k;
	output_buffers 1 32k;
	postpone_output 1460;

	client_header_timeout 10;
	client_body_timeout 10;
	send_timeout 10;

	gzip on;
	gzip_min_length 860;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain text/css text/xml application/javascript application/json
	application/atom+xml application/rss+xml application/xhtml+xml;
	gzip_comp_level 6;
	gzip_disable msie6;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 180m;
	ssl_prefer_server_ciphers on;

	proxy_connect_timeout 5s;
	proxy_read_timeout 30s;
	proxy_next_upstream off;
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	server_tokens off;
	more_set_headers 'Server:';

	geo $from_public {
	default 1;
	127.0.0.0/8 0;
	10.0.0.0/8 0;
	100.64.0.0/10 0;
	172.16.0.0/12 0;
	192.168.0.0/16 0;
	}

	server {
	listen 80 default_server;
	access_log off;

	location / {
	return 444;
	}

	location = /status {
	if ($from_public) {
	return 444;
	}

	default_type text/plain;
	content_by_lua_block {
	local hc = require "resty.upstream.healthcheck"
	ngx.say("Nginx Worker PID: ", ngx.worker.pid())
	ngx.print(hc.status_page())
	}
	}
	}

	server {
	listen 443 ssl default_server;
	access_log off;

	ssl_certificate /opt/certificates/_.pem;
	ssl_certificate_key /opt/certificates/_.key;

	location / {
	return 444;
	}
	}

	########## all site config should be in sites-enabled/ ##########
	include sites-enabled/*.conf;

	########## put health check scripts for all upstreams below ##########
	lua_shared_dict healthcheck_dict 1m;
	lua_socket_log_errors off;

	init_worker_by_lua_block {
	local hc = require "resty.upstream.healthcheck"

	local ok, err = hc.spawn_checker {
	shm = "healthcheck_dict", -- defined by "lua_shared_dict"
	upstream = "some_upstream", -- defined by "upstream"
	type = "http",

	http_req = "GET /healthcheck HTTP/1.0\r\nHost: upstream.domain\r\n\r\n", -- raw HTTP request for checking

	interval = 1000, -- run the check cycle every 1 sec
	timeout = 500, -- 0.5 sec is the timeout for network operations
	fall = 3, -- # of successive failures before turning a peer down
	rise = 2, -- # of successive successes before turning a peer up
	valid_statuses = {200, 302}, -- a list valid HTTP status code
	concurrency = 10, -- concurrency level for test requests
	}
	if not ok then
	ngx.log(ngx.ERR, "failed to spawn health checker: ", err)
	end

	-- Just call hc.spawn_checker() for more times here if you have
	-- more upstream groups to monitor. One call for one upstream group.
	-- They can all share the same shm zone without conflicts but they
	-- need a bigger shm zone for obvious reasons.
	}
	########## put health check scripts for all upstreams above ##########
	}