|
worker_processes auto; |
|
# pid /var/run/nginx.pid; |
|
pid /var/log/nginx.pid; |
|
|
|
events { |
|
# determines how much clients will be served per worker |
|
# max clients = worker_connections * worker_processes |
|
# max clients is also limited by the number of socket connections available on the system (~64k) |
|
worker_connections 1024; |
|
|
|
# optmized to serve many clients with each thread, essential for linux |
|
# use epoll; #linux 2.6+ |
|
|
|
# accept as many connections as possible, may flood worker connections if set too low |
|
multi_accept on; |
|
|
|
# (hopefully) improve performance a bit more |
|
accept_mutex off; |
|
} |
|
|
|
http { |
|
# this is helpful due to our use of openresty |
|
variables_hash_bucket_size 128; |
|
variables_hash_max_size 1024; |
|
|
|
# don't give version in status string |
|
server_tokens off; |
|
|
|
# copies data between one FD and other from within the kernel |
|
# faster then read() + write() |
|
sendfile on; |
|
|
|
# send headers in one piece, its better then sending them one by one |
|
tcp_nopush on; |
|
|
|
# don't buffer data sent, good for small data bursts in real time |
|
tcp_nodelay on; |
|
|
|
# server will close an open connection after this time |
|
keepalive_timeout 50; |
|
|
|
# more timeouts to help against slowlaris DDOS, etc |
|
client_body_timeout 10; |
|
client_header_timeout 10; |
|
send_timeout 10; |
|
|
|
types_hash_max_size 2048; |
|
|
|
#include /etc/nginx/mime.types; |
|
include mime.types; |
|
default_type application/octet-stream; |
|
|
|
# Logging Settings |
|
access_log /var/log/nginx/access.log; |
|
error_log /var/log/nginx/error.log; |
|
|
|
# Gzip Settings |
|
gzip on; |
|
gzip_http_version 1.1; |
|
gzip_vary on; |
|
gzip_comp_level 6; |
|
gzip_proxied any; |
|
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; |
|
gzip_min_length 500; |
|
gzip_types text/plain text/css text/comma-separated-values |
|
application/json text/javascript application/javascript application/x-javascript |
|
text/xml application/xml application/xml+rss application/atom+xml; |
|
#^ text/html included by default |
|
|
|
# Rate limiting (basic DDOS protection) |
|
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; |
|
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=15r/s; |
|
|
|
# Utilize HSTS (HTTP Strict Transport Security) to force all traffic to be over HTTPS |
|
# NOTE: DISABLED BY DEFAULT AS IT WONT WORK WITH SELF SIGNED CERTS. ENABLE IN PRODUCTION MODE. |
|
# add_header Strict-Transport-Security max-age=31536000; |
|
|
|
# config to don't allow the browser to render the page inside an frame or iframe |
|
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking |
|
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri |
|
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options |
|
add_header X-Frame-Options DENY; |
|
|
|
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, |
|
# to disable content-type sniffing on some browsers. |
|
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers |
|
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx |
|
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx |
|
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 |
|
add_header X-Content-Type-Options nosniff; |
|
|
|
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. |
|
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for |
|
# this particular website if it was disabled by the user. |
|
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers |
|
add_header X-XSS-Protection "1; mode=block"; |
|
|
|
#used by adobe flash |
|
add_header X-Permitted-Cross-Domain-Policies "master-only"; |
|
|
|
# Virtual Host Configs |
|
#include /etc/nginx/conf.d/*.conf; |
|
#include /etc/nginx/sites/*.conf; |
|
include /usr/local/etc/nginx/sites/*.conf; |
|
} |
|
|
|
Simon-2:nginx simon$ cat sites/counterblock.conf |
|
upstream cache_server { |
|
server 127.0.0.1:6379; #default port |
|
keepalive 128; |
|
} |
|
upstream counterblock_api_server { |
|
server 127.0.0.1:4100; |
|
keepalive 30; |
|
} |
|
upstream counterblock_t_api_server { |
|
#server dogeblockd_testnet:14100; |
|
server 127.0.0.1:14100; |
|
keepalive 30; |
|
} |
|
|
|
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), |
|
# you can tell the browser that it can only download content from the domains you explicitly allow |
|
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ |
|
# https://www.owasp.org/index.php/Content_Security_Policy |
|
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' |
|
# directives for css and js(if you have inline css or js, you will need to keep it too). |
|
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful |
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://query.yahooapis.com; img-src 'self' data: https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' themes.googleusercontent.com fonts.gstatic.com; frame-src 'none'; object-src 'self'; connect-src 'self' ws://testnet.wallet.dogeparty.io wss://$host https://api.rollbar.com;"; |
|
|
|
|
|
server { |
|
listen 4126; |
|
server_name testnet.wallet.dogeparty.io; |
|
|
|
############### |
|
# BASE SITE SERVING (STATIC FILES) |
|
|
|
# CACHING - For production use |
|
open_file_cache max=200000 inactive=20s; |
|
open_file_cache_valid 30s; |
|
open_file_cache_min_uses 2; |
|
open_file_cache_errors on; |
|
|
|
location /_asset_img/ { |
|
access_log off; |
|
expires 1h; |
|
alias /home/xcp/.config/counterblockd/asset_img/; |
|
} |
|
location /_t_asset_img/ { |
|
access_log off; |
|
expires 1h; |
|
alias /home/xcp/.config/counterblockd-testnet/asset_img/; |
|
} |
|
location /src { |
|
#For dev/testing (uses unminified resources) |
|
open_file_cache off; |
|
expires off; |
|
alias /home/xcp/counterwallet/src/; |
|
} |
|
#location /servers.json { |
|
# #alias /etc/nginx/servers-testnet.json; |
|
# alias /Users/simon/code/dogeparty/etc/nginx/servers-testnet.json; |
|
#} |
|
location / { |
|
access_log off; |
|
expires 1h; |
|
root /Users/simon/code/dogeparty/dogeparty-wallet/src/; |
|
|
|
#Enable this during single server system updates |
|
#root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/; |
|
} |
|
############# |
|
|
|
##### |
|
# TESTNET |
|
# PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first |
|
location ^~ /_t_api |
|
{ |
|
#reject everything except GET, POST and OPTIONS |
|
limit_except GET POST OPTIONS { |
|
deny all; |
|
} |
|
|
|
#include /etc/nginx/sites/counterblock_api_cache.inc; |
|
#set $redis_db "1"; |
|
|
|
# Send to app server if Redis could not answer the request |
|
error_page 404 405 550 = @t_wsgi_api; |
|
} |
|
# PROXY TO COUNTERWALLETD API BACKEND (WSGI) |
|
location @t_wsgi_api { |
|
#include /etc/nginx/sites/counterblock_api.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_api.inc; |
|
rewrite ^/_t_api/?$ /api/? break; |
|
proxy_pass http://counterblock_t_api_server; |
|
} |
|
# PROXY TO COUNTERWALLETD FEED BACKEND (socket.io) |
|
location ^~ /_t_feed { |
|
#include /etc/nginx/sites/counterblock_socketio.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_socketio.inc; |
|
#proxy_pass http://dogeblockd_testnet:14101/socket.io; |
|
proxy_pass http://127.0.0.1:14101/socket.io; |
|
} |
|
# PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io) |
|
location ^~ /_t_chat { |
|
#include /etc/nginx/sites/counterblock_socketio.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_socketio.inc; |
|
#proxy_pass http://dogeblockd_testnet:14102/socket.io; |
|
proxy_pass http://127.0.0.1:14102/socket.io; |
|
} |
|
} |
|
|
|
server { |
|
listen 80 default_server deferred; |
|
server_name _; |
|
rewrite ^ https://$host$request_uri permanent; |
|
} |
|
|
|
server { |
|
#DEV PORT (firewall on production systems) |
|
listen 81; |
|
server_name _; |
|
|
|
#for nginx newrelic agent |
|
location /nginx_stub_status { |
|
#stub_status on; |
|
access_log off; |
|
allow 127.0.0.0/8; |
|
deny all; |
|
} |
|
} |
|
|
|
server { |
|
#listen 443 default_server ssl deferred; |
|
listen 4127 default_server deferred; |
|
server_name _; |
|
|
|
############### |
|
# SSL - For production use |
|
# ssl_certificate /etc/ssl/certs/counterblockd.pem; |
|
# ssl_certificate /etc/ssl/certs/wallet_dogeparty_io.crt-bundle; |
|
# ssl_certificate_key /etc/ssl/private/dogeparty.key; |
|
|
|
# SSL - For development use |
|
#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem; |
|
#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key; |
|
|
|
# support FS, and BEAST protection - https://coderwall.com/p/ebl2qa |
|
server_tokens off; |
|
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
#ssl_prefer_server_ciphers on; |
|
#ssl_session_timeout 5m; |
|
# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; |
|
|
|
############### |
|
|
|
access_log /var/log/nginx/counterblock.access.log; |
|
error_log /var/log/nginx/counterblock.error.log; |
|
#access_log logs/counterblock.access.log; |
|
#error_log logs/counterblock.error.log; |
|
|
|
# basic rate limiting |
|
limit_conn conn_limit_per_ip 15; |
|
limit_req zone=req_limit_per_ip burst=100 nodelay; |
|
|
|
# this has to be higher than we'd like otherwise, due to the create_support_case API call... |
|
client_max_body_size 1m; |
|
|
|
############### |
|
# BASE SITE SERVING (STATIC FILES) |
|
|
|
# CACHING - For production use |
|
open_file_cache max=200000 inactive=20s; |
|
open_file_cache_valid 30s; |
|
open_file_cache_min_uses 2; |
|
open_file_cache_errors on; |
|
|
|
location /_asset_img/ { |
|
access_log off; |
|
expires 1h; |
|
alias /home/xcp/.config/counterblockd/asset_img/; |
|
} |
|
location /src { |
|
#For dev/testing (uses unminified resources) |
|
open_file_cache off; |
|
expires off; |
|
alias /home/xcp/counterwallet/src/; |
|
} |
|
#location /servers.json { |
|
# alias /etc/nginx/servers-livenet.json; |
|
#} |
|
location / { |
|
access_log off; |
|
expires 1h; |
|
#root /usr/local/nginx/html/wallet/; |
|
root /Users/simon/code/dogeparty/dogeparty-wallet/src/; |
|
|
|
#Enable this during single server system updates |
|
#root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/; |
|
} |
|
############# |
|
|
|
##### |
|
# PRODUCTION |
|
# PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first |
|
location ^~ /_api |
|
{ |
|
#reject everything except GET, POST and OPTIONS |
|
limit_except GET POST OPTIONS { |
|
deny all; |
|
} |
|
|
|
#include /etc/nginx/sites/counterblock_api_cache.inc; |
|
#set $redis_db "0"; |
|
|
|
# Send to app server if Redis could not answer the request |
|
error_page 404 405 550 = @wsgi_api; |
|
} |
|
# PROXY TO COUNTERWALLETD API BACKEND (WSGI) |
|
location @wsgi_api { |
|
#include /etc/nginx/sites/counterblock_api.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_api.inc; |
|
rewrite ^/_api/?$ /api/? break; |
|
proxy_pass http://counterblock_api_server; |
|
} |
|
# PROXY TO COUNTERWALLETD FEED BACKEND (socket.io) |
|
location ^~ /_feed { |
|
#include /etc/nginx/sites/counterblock_socketio.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_socketio.inc; |
|
#proxy_pass http://dogeblockd:4101/socket.io; |
|
proxy_pass http://127.0.0.1:4101/socket.io; |
|
} |
|
# PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io) |
|
location ^~ /_chat { |
|
#include /etc/nginx/sites/counterblock_socketio.inc; |
|
include /usr/local/etc/nginx/sites/counterblock_socketio.inc; |
|
#proxy_pass http://dogeblockd:4102/socket.io; |
|
proxy_pass http://127.0.0.1:4102/socket.io; |
|
} |
|
} |