-
Notifications
You must be signed in to change notification settings - Fork 16
/
site.social.conf.template
138 lines (111 loc) · 3.75 KB
/
site.social.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
limit_req_zone $binary_remote_addr zone=sdc:32m rate=100r/m;
proxy_cache_path /var/cache/nginx levels=1:2 inactive=6h keys_zone=sdc_cache:100m;
server {
listen 8081;
server_name $SERVER_NAME;
# ddos blacklist
deny 122.8.125.184;
deny 130.206.99.1;
deny 177.226.255.170;
deny 179.127.252.154;
deny 192.119.168.147;
deny 202.55.183.226;
deny 202.62.17.217;
deny 69.125.96.181;
deny 79.173.237.10;
deny 83.48.73.254;
deny 89.35.44.248;
deny 92.114.178.198;
deny 99.197.236.213;
# ignore csp violations
location /api/v1/csp_violation {
return 403;
}
# proxy traffic for healthcheck to the upstream without https redirect for the ELB to see a 200 on /
location /.well-known/healthcheck.json {
limit_req zone=sdc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_client_abort on;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_redirect off;
proxy_pass http://steemit-sdc:8080/.well-known/healthcheck.json;
}
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains; preload" always;
# redirect certain routes to the wallet app
location ~* ^/@[0-9a-z\-\.]+/(transfers|curation-rewards|author-rewards|permissions|password) {
return 301 $WALLET_URL$request_uri;
}
location /change_password {
return 301 $WALLET_URL$request_uri;
}
location /recover_account_step_1 {
return 301 $WALLET_URL$request_uri;
}
location = /market {
return 301 $WALLET_URL$request_uri;
}
location /~witnesses {
return 301 $WALLET_URL$request_uri;
}
location /cryptocurrency/@bitcoinminer25/youhash-cloud-mining-scam-or-legit {
access_log off;
return 403;
}
location /flstudio/@cracked-games/ltxziiz9 {
access_log off;
return 403;
}
location /music/@jneelocamacho/how-to-download-free-fl-studio-mobile {
access_log off;
return 403;
}
location /music/@therealtblgk/fl-studio-12-4-2-digital-download-for-windows-first-3-to-comment-will-get-a-free-copy {
access_log off;
return 403;
}
location /music/@therealtblgk/fl-studio-12-4-2-for-1-sbd {
access_log off;
return 403;
}
location /fullmovie/@marvinlox/baaghi-2-hindi-2018-full-movie-in-720p-hd-dvdrip-bluerayrip {
access_log off;
return 403;
}
location ~ /@unicef(/|$) {
access_log off;
return 403;
}
location / {
limit_req zone=sdc burst=50;
# rewrite http to https (ALB does the https termination)
if ($http_x_forwarded_proto != 'https') {
return 301 https://$server_name$request_uri;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_client_abort on;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains; preload" always;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
proxy_cache sdc_cache;
proxy_cache_valid 200 2m;
proxy_cache_key $request_uri;
proxy_cache_lock on;
proxy_cache_lock_age 5m;
proxy_cache_lock_timeout 5m;
proxy_pass http://steemit-sdc:8080;
}
}
server {
listen 8081;
server_name www.$SERVER_NAME;
return 301 https://$SERVER_NAME$request_uri;
}