sgnn7/nginx.conf

## nginx.conf
# vim:ff=unix:ts=2:sw=2:ai:expandtab

# Cache location setup - this should be the NAS
proxy_cache_path /var/cache/nginx
                 levels=1:2
                 keys_zone=bundle-cache:8M
                 max_size=100000M
                 inactive=3M
                 loader_threshold=330
                 loader_files=1000;

# We want to keep the log of redirects
rewrite_log on;

server {
  listen                443 ssl default_server;
  ssl                   on;
  ssl_certificate       foo;
  ssl_certificate_key   bar;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "ciphers";

  ssl_stapling          on;
  ssl_stapling_verify   on;
  resolver              8.8.4.4 8.8.8.8;

  add_header Strict-Transport-Security "max-age=2628000; includeSubDomains";

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;

  root /roots;

  # Bypass the Rails app completely for bundles,content, and signatures since we know
  # where the nginx path is for accessing those resources
  location ~* ^/s3cache/(.*)$ {
    set $master_s3_fqdn somewhere.com;

    # If the client is not on the internal IP range (10.0.1-9.*),
    # redirect to real S3 location
    if ($remote_addr !~ "^99\.0\.[1-9]\.[0-9]{1,3}$") {
      rewrite ^/s3cache/(.*)$ $scheme://$master_s3_fqdn/$1 last;
    }

    # Forward the correct url
    rewrite ^/s3cache/(.*)$ /$1 break;

    expires 6M;

    # Define the proxy target
    proxy_http_version        1.1;
    proxy_pass                $scheme://$master_s3_fqdn;
    proxy_set_header          Host "$master_s3_fqdn";

    # Strip headers
    proxy_set_header          Authorization '';
    proxy_hide_header         X-Amz-Cf-Id;
    proxy_hide_header         Via;
    proxy_hide_header         Set-Cookie;
    proxy_hide_header         X-Cache;

    # Strip and ignore other headers
    proxy_ignore_headers      Set-Cookie Expires Cache-Control X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering;

    # Lets us know if we hit cache or not
    add_header                X-Cache "$upstream_cache_status from proxy";

    # Cache if needed
    proxy_store               off;
    proxy_cache               bundle-cache;
    proxy_cache_lock          on;
    proxy_cache_lock_timeout  30m;
    proxy_cache_key           "$request_uri";
    proxy_cache_valid         200 301 302 6M;
    proxy_cache_use_stale     error timeout invalid_header updating;
  }
}
	# vim:ff=unix:ts=2:sw=2:ai:expandtab

	# Cache location setup - this should be the NAS
	proxy_cache_path /var/cache/nginx
	levels=1:2
	keys_zone=bundle-cache:8M
	max_size=100000M
	inactive=3M
	loader_threshold=330
	loader_files=1000;

	# We want to keep the log of redirects
	rewrite_log on;

	server {
	listen 443 ssl default_server;
	ssl on;
	ssl_certificate foo;
	ssl_certificate_key bar;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "ciphers";

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8;

	add_header Strict-Transport-Security "max-age=2628000; includeSubDomains";

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	root /roots;

	# Bypass the Rails app completely for bundles,content, and signatures since we know
	# where the nginx path is for accessing those resources
	location ~* ^/s3cache/(.*)$ {
	set $master_s3_fqdn somewhere.com;

	# If the client is not on the internal IP range (10.0.1-9.*),
	# redirect to real S3 location
	if ($remote_addr !~ "^99\.0\.[1-9]\.[0-9]{1,3}$") {
	rewrite ^/s3cache/(.*)$ $scheme://$master_s3_fqdn/$1 last;
	}

	# Forward the correct url
	rewrite ^/s3cache/(.*)$ /$1 break;

	expires 6M;

	# Define the proxy target
	proxy_http_version 1.1;
	proxy_pass $scheme://$master_s3_fqdn;
	proxy_set_header Host "$master_s3_fqdn";

	# Strip headers
	proxy_set_header Authorization '';
	proxy_hide_header X-Amz-Cf-Id;
	proxy_hide_header Via;
	proxy_hide_header Set-Cookie;
	proxy_hide_header X-Cache;

	# Strip and ignore other headers
	proxy_ignore_headers Set-Cookie Expires Cache-Control X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering;

	# Lets us know if we hit cache or not
	add_header X-Cache "$upstream_cache_status from proxy";

	# Cache if needed
	proxy_store off;
	proxy_cache bundle-cache;
	proxy_cache_lock on;
	proxy_cache_lock_timeout 30m;
	proxy_cache_key "$request_uri";
	proxy_cache_valid 200 301 302 6M;
	proxy_cache_use_stale error timeout invalid_header updating;
	}
	}