nginx: add production nginx config files.
This commit is contained in:
evazion
92
script/install/nginx/conf.d/common.conf
Normal file
92
script/install/nginx/conf.d/common.conf
Normal file
@@ -0,0 +1,92 @@
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_timeout 4h;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_tickets off;
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
|
||||
resolver 8.8.8.8 8.8.4.4;
|
||||
|
||||
root /var/www/danbooru/current/public;
|
||||
index index.html;
|
||||
access_log off;
|
||||
error_log /var/www/danbooru/shared/log/server.error.log;
|
||||
try_files $uri/index.html $uri.html $uri @app;
|
||||
client_max_body_size 30m;
|
||||
error_page 503 @maintenance;
|
||||
error_page 404 /404.html;
|
||||
error_page 500 502 503 504 /500.html;
|
||||
|
||||
location /assets {
|
||||
expires max;
|
||||
break;
|
||||
}
|
||||
|
||||
location /data/preview {
|
||||
expires max;
|
||||
break;
|
||||
}
|
||||
|
||||
location /posts/mobile {
|
||||
return 404;
|
||||
}
|
||||
|
||||
location /users {
|
||||
limit_req zone=users burst=5;
|
||||
limit_req_status 429;
|
||||
try_files $uri @app_server;
|
||||
}
|
||||
|
||||
location /posts {
|
||||
limit_req zone=posts burst=20;
|
||||
limit_req_status 429;
|
||||
try_files $uri @app_server;
|
||||
}
|
||||
|
||||
location /data {
|
||||
valid_referers none *.donmai.us donmai.us ~\.google\. ~\.bing\. ~\.yahoo\.;
|
||||
|
||||
if ($invalid_referer) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
rewrite ^/data/sample/__.+?__(.+) /data/sample/$1 last;
|
||||
rewrite ^/data/__.+?__(.+) /data/$1 last;
|
||||
|
||||
expires max;
|
||||
break;
|
||||
}
|
||||
|
||||
location /maintenance.html {
|
||||
expires 10;
|
||||
}
|
||||
|
||||
if (-f $document_root/maintenance.html) {
|
||||
return 503;
|
||||
}
|
||||
|
||||
if ($http_user_agent ~ (WinHttp\.WinHttpRequest\.5) ) {
|
||||
return 403;
|
||||
}
|
||||
|
||||
location @maintenance {
|
||||
rewrite ^(.*)$ /maintenance.html last;
|
||||
}
|
||||
|
||||
location @app_server {
|
||||
proxy_pass http://app_server;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_redirect off;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri @app_server;
|
||||
}
|
||||
82
script/install/nginx/nginx.conf
Normal file
82
script/install/nginx/nginx.conf
Normal file
@@ -0,0 +1,82 @@
|
||||
user www-data;
|
||||
worker_processes auto;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
events {
|
||||
use epoll;
|
||||
worker_connections 10000;
|
||||
multi_accept on;
|
||||
accept_mutex on;
|
||||
}
|
||||
|
||||
http {
|
||||
limit_req_zone $binary_remote_addr zone=users:10m rate=5r/s;
|
||||
limit_req_zone $binary_remote_addr zone=posts:100m rate=10r/s;
|
||||
|
||||
##
|
||||
# Basic Settings
|
||||
##
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
keepalive_timeout 5;
|
||||
types_hash_max_size 2048;
|
||||
# server_tokens off;
|
||||
|
||||
server_names_hash_bucket_size 128;
|
||||
# server_name_in_redirect off;
|
||||
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
##
|
||||
# Logging Settings
|
||||
##
|
||||
|
||||
access_log off;
|
||||
error_log /var/log/nginx/error.log;
|
||||
|
||||
##
|
||||
# Gzip Settings
|
||||
##
|
||||
|
||||
gzip on;
|
||||
gzip_disable "msie6";
|
||||
|
||||
gzip_http_version 1.1;
|
||||
gzip_vary on;
|
||||
gzip_comp_level 5;
|
||||
gzip_proxied any;
|
||||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/rss+xml text/javascript application/atom+xml;
|
||||
|
||||
# curl https://www.cloudflare.com/ips-v4 | sort
|
||||
set_real_ip_from 103.21.244.0/22;
|
||||
set_real_ip_from 103.22.200.0/22;
|
||||
set_real_ip_from 103.31.4.0/22;
|
||||
set_real_ip_from 104.16.0.0/12;
|
||||
set_real_ip_from 108.162.192.0/18;
|
||||
set_real_ip_from 131.0.72.0/22;
|
||||
set_real_ip_from 141.101.64.0/18;
|
||||
set_real_ip_from 162.158.0.0/15;
|
||||
set_real_ip_from 172.64.0.0/13;
|
||||
set_real_ip_from 173.245.48.0/20;
|
||||
set_real_ip_from 188.114.96.0/20;
|
||||
set_real_ip_from 190.93.240.0/20;
|
||||
set_real_ip_from 197.234.240.0/22;
|
||||
set_real_ip_from 198.41.128.0/17;
|
||||
set_real_ip_from 199.27.128.0/21;
|
||||
|
||||
# curl https://www.cloudflare.com/ips-v4 | sort
|
||||
set_real_ip_from 2400:cb00::/32;
|
||||
set_real_ip_from 2606:4700::/32;
|
||||
set_real_ip_from 2803:f800::/32;
|
||||
set_real_ip_from 2405:b500::/32;
|
||||
set_real_ip_from 2405:8100::/32;
|
||||
set_real_ip_from 2a06:98c0::/29;
|
||||
set_real_ip_from 2c0f:f248::/32;
|
||||
|
||||
real_ip_header CF-Connecting-IP;
|
||||
|
||||
include /etc/nginx/sites-enabled/*.conf;
|
||||
}
|
||||
68
script/install/nginx/sites-enabled/danbooru.conf
Normal file
68
script/install/nginx/sites-enabled/danbooru.conf
Normal file
@@ -0,0 +1,68 @@
|
||||
server {
|
||||
listen 443 ssl http2 default_server;
|
||||
server_name danbooru.donmai.us;
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/danbooru.chain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/danbooru.key;
|
||||
|
||||
include /etc/nginx/conf.d/common.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name safebooru.donmai.us;
|
||||
|
||||
ssl_certificate /etc/nginx/ssl/safebooru.chain.pem;
|
||||
ssl_certificate_key /etc/nginx/ssl/safebooru.key;
|
||||
|
||||
include /etc/nginx/conf.d/common.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name kagamihara.donmai.us;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/kagamihara.donmai.us/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/kagamihara.donmai.us/privkey.pem; # managed by Certbot
|
||||
|
||||
include /etc/nginx/conf.d/common.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name saitou.donmai.us;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/saitou.donmai.us/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/saitou.donmai.us/privkey.pem; # managed by Certbot
|
||||
|
||||
include /etc/nginx/conf.d/common.conf;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name shima.donmai.us;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/shima.donmai.us/fullchain.pem; # managed by Certbot
|
||||
ssl_certificate_key /etc/letsencrypt/live/shima.donmai.us/privkey.pem; # managed by Certbot
|
||||
|
||||
include /etc/nginx/conf.d/common.conf;
|
||||
}
|
||||
|
||||
# redirect HTTP to HTTPS.
|
||||
server {
|
||||
listen 80;
|
||||
server_name safebooru.donmai.us danbooru.donmai.us kagamihara.donmai.us saitou.donmai.us shima.donmai.us;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
# redirect donmai.us and www.donmai.us to danbooru.donmai.us.
|
||||
server {
|
||||
listen 80;
|
||||
listen 443 ssl;
|
||||
server_name donmai.us www.donmai.us;
|
||||
return 301 https://danbooru.donmai.us$request_uri;
|
||||
}
|
||||
|
||||
upstream app_server {
|
||||
server unix:/tmp/.unicorn.sock fail_timeout=0;
|
||||
}
|
||||
Reference in New Issue
Block a user