nginx: add production nginx config files.

2019-09-22 20:09:02 -05:00
parent e1cdcbd4ce
commit 1d6d816b23
3 changed files with 242 additions and 0 deletions
--- a/script/install/nginx/conf.d/common.conf
+++ b/script/install/nginx/conf.d/common.conf
@@ -0,0 +1,92 @@
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+ssl_prefer_server_ciphers on;
+ssl_session_timeout 4h;
+ssl_session_cache shared:SSL:20m;
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+resolver 8.8.8.8 8.8.4.4;
+
+root /var/www/danbooru/current/public;
+index index.html;
+access_log off;
+error_log /var/www/danbooru/shared/log/server.error.log;
+try_files $uri/index.html $uri.html $uri @app;
+client_max_body_size 30m;
+error_page 503 @maintenance;
+error_page 404 /404.html;
+error_page 500 502 503 504 /500.html;
+
+location /assets {
+  expires max;
+  break;
+}
+
+location /data/preview {
+  expires max;
+  break;
+}
+
+location /posts/mobile {
+  return 404;
+}
+
+location /users {
+  limit_req zone=users burst=5;
+  limit_req_status 429;
+  try_files $uri @app_server;
+}
+
+location /posts {
+  limit_req zone=posts burst=20;
+  limit_req_status 429;
+  try_files $uri @app_server;
+}
+
+location /data {
+  valid_referers none *.donmai.us donmai.us ~\.google\. ~\.bing\. ~\.yahoo\.;
+
+  if ($invalid_referer) {
+    return 403;
+  }
+
+  rewrite ^/data/sample/__.+?__(.+) /data/sample/$1 last;
+  rewrite ^/data/__.+?__(.+) /data/$1 last;
+
+  expires max;
+  break;
+}
+
+location /maintenance.html {
+  expires 10;
+}
+
+if (-f $document_root/maintenance.html) {
+  return 503;
+}
+
+if ($http_user_agent ~ (WinHttp\.WinHttpRequest\.5) ) {
+  return 403;
+}
+
+location @maintenance {
+  rewrite ^(.*)$ /maintenance.html last;
+}
+
+location @app_server {
+  proxy_pass http://app_server;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Real-IP $remote_addr;
+  proxy_redirect off;
+  proxy_set_header Host $http_host;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_buffer_size 128k;
+  proxy_buffers 4 256k;
+  proxy_busy_buffers_size 256k;
+}
+
+location / {
+  try_files $uri @app_server;
+}