mirror
/
takahe-deployment-examples
kopia lustrzana https://github.com/jointakahe/deployment-examples
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

Some small tweaks for nginx

pull/1/head
Kromonos 2022-12-16 05:35:17 +01:00
rodzic d33ab13d7c
commit 1dfafd79f9
1 zmienionych plików z 28 dodań i 26 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

44
webserver/nginx.conf
Wyświetl plik

@ -1,7 +1,6 @@
limit_req_zone $binary_remote_addr zone=taka_proxy:20m rate=200r/s;
limit_req_zone $binary_remote_addr zone=taka_media:20m rate=50r/s;
limit_req_zone $binary_remote_addr zone=taka_ratelimit:20m rate=25r/s;
proxy_cache_path /usr/share/nginx/takahe/cache levels=1:2 keys_zone=TAKAHE:20m inactive=14d max_size=1g;
upstream takahe {
@ -27,11 +26,17 @@ server {
listen [::]:443 ssl http2;
server_name _;
root /usr/share/nginx/tahake/static;
root /usr/share/nginx/takahe/static;
index index.html;
access_log /usr/share/nginx/tahake/logs/access.log combined;
error_log /usr/share/nginx/tahake/logs/error.log;
access_log /usr/share/nginx/takahe/logs/access.log combined;
error_log /usr/share/nginx/takahe/logs/error.log;
# Let's Encrypt SSL challenge directory
location ^~ /.well-known/acme-challenge {
default_type text/plain;
alias /usr/share/nginx/tmp/.well-known/acme-challenge;
}
ssl_protocols TLSv1.2 TLSv1.3;
@ -39,7 +44,7 @@ server {
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_session_timeout 10m;
ssl_session_cache shared:MozSSL:10m;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# Specifies a curve for ECDHE ciphers.
@ -62,12 +67,12 @@ server {
gzip_min_length 256;
gzip_types text/xml text/javascript font/ttf font/eot font/otf application/x-javascript application/atom+xml application/javascript application/json application/manifest+json application/rss+xml application/x-web-app-manifest+json application/xhtml+xml application/xml image/svg+xml image/x-icon text/css text/plain;
ignore_invalid_headers off;
proxy_connect_timeout 1200;
ignore_invalid_headers on;
proxy_connect_timeout 900;
ssl_certificate /root/.acme.sh/tavern.drow.be/fullchain.cer;
ssl_certificate_key /root/.acme.sh/tavern.drow.be/tavern.drow.be.key;
ssl_trusted_certificate /root/.acme.sh/tavern.drow.be/ca.cer;
ssl_certificate /root/.acme.sh/takahe_host/fullchain.cer;
ssl_certificate_key /root/.acme.sh/takahe_host/takahe_host.key;
ssl_trusted_certificate /root/.acme.sh/takahe_host/ca.cer;
ssl_dhparam /etc/ssl/dhparams_4096.pem;
proxy_headers_hash_max_size 1024;
@ -92,15 +97,15 @@ server {
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;";
# Let's Encrypt SSL challenge directory
location ^~ /.well-known/acme-challenge {
default_type text/plain;
alias /usr/share/nginx/tmp/.well-known/acme-challenge;
add_header 'Content-Security-Policy' "default-src 'none'; connect-src 'self'; font-src 'self'; img-src *; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests;";
add_header 'X-Robots-Tag' "index, follow, noimageindex, notranslate, noarchive";
location = /robots.txt {
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /proxy/\nDisallow: /static/\nDisallow: /media/\nCrawl-delay: 1";
}
# Local media and static files
location ~* ^/(media|static) {
http2_push_preload on;
limit_req zone=taka_media burst=5 nodelay;
@ -131,7 +136,6 @@ server {
proxy_pass http://takahe;
}
# Media proxy
location ~* ^/proxy {
http2_push_preload on;
limit_req zone=taka_proxy burst=50 delay=20;
@ -158,18 +162,16 @@ server {
proxy_cache_methods GET HEAD;
add_header X-Cache $upstream_cache_status;
proxy_pass http://takahe;
}
# Django Admin
location /djadmin/ {
location ~* ^/(djadmin|api) {
http2_push_preload off;
proxy_redirect off;
proxy_buffering off;
proxy_pass http://takahe;
}
# Default location
location / {
limit_req zone=taka_ratelimit burst=15 delay=5;
http2_push_preload on;