-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathsite.social.devstage.conf.template
104 lines (85 loc) · 3.18 KB
/
site.social.devstage.conf.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
limit_req_zone $binary_remote_addr zone=sdc:32m rate=100r/m;
proxy_cache_path /var/cache/nginx levels=1:2 inactive=6h keys_zone=sdc_cache:100m;
server {
listen 8081;
server_name $SERVER_NAME;
# proxy traffic for healthcheck to the upstream without https redirect for the ELB to see a 200 on /
location /.well-known/healthcheck.json {
limit_req zone=sdc;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_client_abort on;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_redirect off;
proxy_pass http://steemit-sdc:8080/.well-known/healthcheck.json;
}
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains; preload" always;
# redirect certain routes to the wallet app
location ~* ^/@[0-9a-z\-\.]+/(transfers|curation-rewards|author-rewards|permissions|password) {
return 301 $WALLET_URL$request_uri;
}
location /change_password {
return 301 $WALLET_URL$request_uri;
}
location /recover_account_step_1 {
return 301 $WALLET_URL$request_uri;
}
location = /market {
return 301 $WALLET_URL$request_uri;
}
location /~witnesses {
return 301 $WALLET_URL$request_uri;
}
location / {
limit_req zone=sdc burst=50;
# rewrite http to https (ALB does the https termination)
if ($http_x_forwarded_proto != 'https') {
return 301 https://$server_name$request_uri;
}
# for dev and stage sub_filter meta tags for robots
sub_filter '</head>'
'<meta name="robots" content="noindex, nofollow, noarchive, nosnippet">
<meta name="googlebot" content="noindex, nofollow, noarchive, nosnippet"></head>';
sub_filter_types text/css text/plain text/html;
sub_filter_once on;
proxy_set_header Accept-Encoding "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ignore_client_abort on;
proxy_read_timeout 90;
proxy_http_version 1.1;
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31557600; includeSubDomains; preload" always;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
proxy_pass http://127.0.0.1:8082;
proxy_cache sdc_cache;
proxy_cache_valid 200 2m;
proxy_cache_key "$request_uri";
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_lock_timeout 60s;
# debug headers for cache
add_header X-Cache $upstream_cache_status;
add_header X-Cache-Key "$request_uri";
}
}
# gunzip response so it can be filtered for dev/stage (no robots/googlebot)
server {
listen 8082;
server_name $SERVER_NAME;
gunzip on;
location / {
proxy_pass http://steemit-sdc:8080;
proxy_set_header Accept-Encoding gzip;
}
}
server {
listen 8081;
server_name www.$SERVER_NAME;
return 301 https://$SERVER_NAME$request_uri;
}