nginx.prod.conf at d01c1445b6b69d47e67107496c9c8bc827fef5ce · lewis.moe/bspds-sandbox

lewis.moe / bspds-sandbox
this repo has no description
bspds-sandbox / nginx.prod.conf
at d01c1445b6b69d47e67107496c9c8bc827fef5ce 3.2 kB view raw
  1worker_processes auto;
  2error_log /var/log/nginx/error.log warn;
  3pid /var/run/nginx.pid;
  4
  5events {
  6    worker_connections 4096;
  7    use epoll;
  8    multi_accept on;
  9}
 10
 11http {
 12    include /etc/nginx/mime.types;
 13    default_type application/octet-stream;
 14
 15    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 16                    '$status $body_bytes_sent "$http_referer" '
 17                    '"$http_user_agent" "$http_x_forwarded_for" '
 18                    'rt=$request_time uct="$upstream_connect_time" '
 19                    'uht="$upstream_header_time" urt="$upstream_response_time"';
 20
 21    access_log /var/log/nginx/access.log main;
 22
 23    sendfile on;
 24    tcp_nopush on;
 25    tcp_nodelay on;
 26    keepalive_timeout 65;
 27    types_hash_max_size 2048;
 28
 29    gzip on;
 30    gzip_vary on;
 31    gzip_proxied any;
 32    gzip_comp_level 6;
 33    gzip_types text/plain text/css text/xml application/json application/javascript
 34               application/xml application/xml+rss text/javascript application/activity+json;
 35
 36    ssl_protocols TLSv1.2 TLSv1.3;
 37    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
 38    ssl_prefer_server_ciphers off;
 39    ssl_session_cache shared:SSL:10m;
 40    ssl_session_timeout 1d;
 41    ssl_session_tickets off;
 42    ssl_stapling on;
 43    ssl_stapling_verify on;
 44
 45    upstream bspds {
 46        server bspds:3000;
 47        keepalive 32;
 48    }
 49
 50    server {
 51        listen 80;
 52        listen [::]:80;
 53        server_name _;
 54
 55        location /.well-known/acme-challenge/ {
 56            root /var/www/acme;
 57        }
 58
 59        location / {
 60            return 301 https://$host$request_uri;
 61        }
 62    }
 63
 64    server {
 65        listen 443 ssl http2;
 66        listen [::]:443 ssl http2;
 67        server_name _;
 68
 69        ssl_certificate /etc/nginx/certs/live/${PDS_HOSTNAME}/fullchain.pem;
 70        ssl_certificate_key /etc/nginx/certs/live/${PDS_HOSTNAME}/privkey.pem;
 71
 72        client_max_body_size 100M;
 73
 74        location / {
 75            proxy_pass http://bspds;
 76            proxy_http_version 1.1;
 77            proxy_set_header Upgrade $http_upgrade;
 78            proxy_set_header Connection "upgrade";
 79            proxy_set_header Host $host;
 80            proxy_set_header X-Real-IP $remote_addr;
 81            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 82            proxy_set_header X-Forwarded-Proto $scheme;
 83            proxy_read_timeout 86400;
 84            proxy_send_timeout 86400;
 85            proxy_buffering off;
 86            proxy_request_buffering off;
 87        }
 88
 89        location /xrpc/com.atproto.sync.subscribeRepos {
 90            proxy_pass http://bspds;
 91            proxy_http_version 1.1;
 92            proxy_set_header Upgrade $http_upgrade;
 93            proxy_set_header Connection "upgrade";
 94            proxy_set_header Host $host;
 95            proxy_set_header X-Real-IP $remote_addr;
 96            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 97            proxy_set_header X-Forwarded-Proto $scheme;
 98            proxy_read_timeout 86400;
 99            proxy_send_timeout 86400;
100            proxy_buffering off;
101        }
102    }
103}