infrastructure-doc/configuration-files/alpha/nginx.conf

# load_module "modules/ngx_stream_ssl_preread_module.so";
load_module /usr/lib/nginx/modules/ngx_stream_module.so;

# worker_processes  1;
daemon off;

user root.nginx;

pid /srv/root/nginx/pid;

worker_rlimit_nofile 1024;
events {
	worker_connections  800;
}

#error_log  /srv/root/nginx/error.log warn;
error_log  /tmp/nginx-error.log warn;

http {
	access_log /tmp/nginx-access.log;

	include       /etc/nginx/mime.types;
	default_type  application/octet-stream;
	index         index.html index.htm index.xhtml;

	fastcgi_param HTTP_PROXY "";

	keepalive_timeout  65;

	server_tokens off;

	upstream git_baguette_backend {
		server 192.168.122.132:3000;
		# server 192.168.122.132:80;
		keepalive 32;
	}

	upstream baguette_backend {
		server 192.168.122.132:80;
		keepalive 32;
	}

	upstream arpenteurs_backend_ws {
		server localhost:3000;
		# server 192.168.122.132:80;
		keepalive 32;
	}


	upstream team_baguette_backend_ws {
		server 192.168.122.132:8065;
		# server 192.168.122.132:80;
		keepalive 32;
	}

	upstream team_baguette_backend {
		server 192.168.122.132:8065;
		keepalive 32;
	}

	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;


	server {
		listen       80 ;
		listen       [::]:80 ;
		server_name  www.arpenteurdestrasbourg.netlib.re arpenteurdestrasbourg.netlib.re;

		location /admin {
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			client_max_body_size 50M;
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Frame-Options SAMEORIGIN;
			proxy_buffers 256 16k;
			proxy_buffer_size 16k;
			client_body_timeout 60;
			send_timeout 300;
			lingering_timeout 5;
			proxy_connect_timeout 90;
			proxy_send_timeout 300;
			proxy_read_timeout 90s;
			proxy_pass http://arpenteurs_backend_ws;
		}

		location / {
			proxy_buffering off;
			proxy_set_header Host $host;
			proxy_next_upstream_timeout 2s;
			proxy_pass http://localhost:3000/;
		}
	}

	server {
		listen       80 ;
		listen       [::]:80 ;
		server_name  baguette.netlib.re
			www.baguette.netlib.re
			mail.baguette.netlib.re
			git.baguette.netlib.re;
#			error_log  /srv/root/nginx/error_baguette-port-80.log warn;
			error_log  /tmp/nginx-error_baguette-port-80.log warn;

		location / {
			rewrite  ^ https://git.baguette.netlib.re$request_uri? permanent;
		}

		location ~ /.well-known/acme-challenge/(.*) {
			client_max_body_size 1M;
			proxy_set_header Connection "";
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Frame-Options SAMEORIGIN;
			proxy_buffers 256 16k;
			proxy_buffer_size 16k;
			proxy_read_timeout 600s;
			proxy_cache mattermost_cache;
			proxy_cache_revalidate on;
			proxy_cache_min_uses 2;
			proxy_cache_use_stale timeout;
			proxy_cache_lock on;
			# Not sure.
			add_header Content-Type application/jose+json;
			proxy_pass http://baguette_backend;
		}
	}

	server {
		listen       443 ssl;
		listen       [::]:443 ssl;
		server_name  git.baguette.netlib.re;
		ssl_protocols TLSv1.2;

		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;

		ssl_dhparam    /etc/ssl/private/dhparam.pem;
		ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0


		ssl_session_timeout  5m;
		ssl_session_cache    shared:SSL:10m;

		# ssl_ciphers  HIGH:!MEDIUM:!WEAK:!aNULL:!MD5:!RC4;
		ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA384;
		ssl_prefer_server_ciphers   on;

#		error_log  /srv/root/nginx/error_git-baguette.log warn;
		error_log  /tmp/nginx-error_git-baguette.log warn;

		location / {
			proxy_buffering off;
			proxy_next_upstream_timeout 2s;
			client_max_body_size 0;
			# proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $http_host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_max_temp_file_size 0;
			proxy_redirect off;
			proxy_read_timeout 120;
			proxy_pass http://git_baguette_backend;
		}
	}


	server {
		listen       80 ;
		listen       [::]:80 ;
		server_name  www.baguette.netlib.re baguette.netlib.re;

		location / {
			rewrite  ^ https://baguette.netlib.re$request_uri? permanent;
		}
	}

	server {
		listen       443 ssl;
		listen       [::]:443 ssl;
		server_name  baguette.netlib.re;

		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;


		ssl_session_timeout  5m;
		ssl_session_cache    shared:SSL:10m;

		ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
		ssl_prefer_server_ciphers   on;

		location / {
			root /srv/baguette/ ;
		}
	}


	server {
		listen       80 ;
		listen       [::]:80 ;
		server_name  www.team.baguette.netlib.re team.baguette.netlib.re;

		location / {
			rewrite  ^ https://team.baguette.netlib.re$request_uri? permanent;
		}

		location ~ /.well-known/acme-challenge/(.*) {
			client_max_body_size 1M;
			proxy_set_header Connection "";
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Frame-Options SAMEORIGIN;
			proxy_buffers 256 16k;
			proxy_buffer_size 16k;
			proxy_read_timeout 600s;
			proxy_cache mattermost_cache;
			proxy_cache_revalidate on;
			proxy_cache_min_uses 2;
			proxy_cache_use_stale timeout;
			proxy_cache_lock on;
			# Not sure.
			add_header Content-Type application/jose+json;
			proxy_pass http://baguette_backend;
		}
	}

	server {
		listen       443 ssl;
		listen       [::]:443 ssl;
		server_name  team.baguette.netlib.re;

		# index index.php index.html;

		ssl_certificate      /etc/ssl/baguette.netlib.re.fullchain.pem;
		ssl_certificate_key  /etc/ssl/private/baguette.netlib.re.key;

		ssl_session_timeout  5m;
		ssl_session_cache    shared:SSL:10m;

		ssl_ciphers  HIGH:!aNULL:!MD5:!RC4;
		ssl_prefer_server_ciphers   on;

		location ~ /api/v[0-9]+/(users/)?websocket$ {
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
			client_max_body_size 50M;
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Frame-Options SAMEORIGIN;
			proxy_buffers 256 16k;
			proxy_buffer_size 16k;
			client_body_timeout 60;
			send_timeout 300;
			lingering_timeout 5;
			proxy_connect_timeout 90;
			proxy_send_timeout 300;
			proxy_read_timeout 90s;
			proxy_pass http://team_baguette_backend_ws;
		}

		location / {
			client_max_body_size 50M;
			proxy_set_header Connection "";
			proxy_set_header Host $http_host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Frame-Options SAMEORIGIN;
			proxy_buffers 256 16k;
			proxy_buffer_size 16k;
			proxy_read_timeout 600s;
			proxy_cache mattermost_cache;
			proxy_cache_revalidate on;
			proxy_cache_min_uses 2;
			proxy_cache_use_stale timeout;
			proxy_cache_lock on;
			proxy_pass http://team_baguette_backend;
		}
	}

}