-
Notifications
You must be signed in to change notification settings - Fork 4
I.7. nginx configuration
This is an example nginx configuration.
user root; # You may want to change this to "www-data" or some other user.
worker_processes 1; # Number of worker processes. 1 should be enough.
access_log /var/log/nginx/access.log; # Access log location.
error_log /var/log/nginx/error.log; # Error log location.
events {
worker_connections 2048; # Maximum number of connections a worker process can serve.
}
http {
include /etc/nginx/mime.types; # Standard MIME types. Do NOT modify.
default_type application/octet-stream; # The default MIME-type. Do NOT modify.
# Uncomment the following lines to enable SSL (HTTPS).
# ssl_session_cache shared:SSL:10m; # These are
# ssl_session_timeout 5m; # the optimal settings.
# ssl_prefer_server_ciphers on; # You may google them
# ssl_stapling on; # if you want,
# resolver 8.8.8.8; # and change them.
# Uncomment the following lines to enable in-memory caching. You will also have to create a RAMDisk.
# proxy_cache_path /path/to/ramdisk levels=1:2 keys_zone=ram:10m max_size=1g inactive=3d use_temp_path=off; # Declaring the cache location
# map $request_uri $nocache { # Disabling caching of frequently changed content and API calls.
# default 0;
# ~*\.(html|json|rss) 1;
# ~*/[a-z0-9_]+/src/.* 1;
# ~*/[a-z0-9_]+/? 1;
# ~*/[a-z0-9_]+/index\.html 1;
# ~*/[a-z0-9_]+/[0-9]+\.(html|json) 1;
# /api/* 1;
# /misc/* 1;
# /action* 1;
# }
limit_req_zone $binary_remote_addr zone=req_perip:10m rate=10r/s; # No more than 10 requests per second for 1 IP.
limit_req_zone $binary_remote_addr zone=req_perserver:10m rate=1000r/s; # No more then 1000 requests per second for the whole server.
limit_conn_zone $binary_remote_addr zone=conn_perip:10m;
limit_conn_zone $binary_remote_addr zone=conn_perserver:10m;
upstream backend { # Using "load balancing" to provide a backup server when ololord.js app is down.
server 127.0.0.1:8080; # ololord.js app must listen at that port.
server 127.0.0.1:8200 backup; # If ololord.js app s not reachable, the backup server is used (see below).
keepalive 1024; # Keep up to 1024 connections to ololord.js open.
}
server { # The main server
listen 80 default_server; # Listen for connections at the standard HTTP port 80.
# listen 443 ssl; # Uncomment this line to enable SSL (HTTPS).
server_name yoursite.com www.yoursite.com;
# Uncomment the following lines to enable SSL (HTTPS).
# ssl_certificate /etc/nginx/cert/yoursite.crt; # Specify the path to your SSL certificate.
# ssl_certificate_key /etc/nginx/cert/yoursite.unencrypted.key; # Specify the path to your SSL certificate unencrypted key.
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # SSLv2 and SSLv3 are not secure. You may add them at your own risk.
# ssl_ciphers "HIGH:!RC4:!aNULL:!MD5:!kEDH"; # Well, you may google that if you want.
limit_req zone=req_perip burst=20; # Applying the per-IP limits declared above.
limit_req zone=req_perserver burst=2000; # Applying the global server limits declared above.
limit_conn conn_perip 10; # No more than 10 simultaneous connections per IP.
limit_conn conn_perserver 1000; # No more than 1000 simultaneous connections for the whole server.
client_max_body_size 50m; # Limiting request body size.
client_body_timeout 2m; # Limiting request body transfer time.
client_header_timeout 5s; # Limiting request headers transfer time.
keepalive_timeout 360s; # Limiting the "keep-alive" connection time to 6 minutes.
# Uncomment the following lines only if the corresponding files exist.
# include /etc/nginx/blocked_ips.conf;
# include /etc/nginx/block_tor.conf;
# include /etc/nginx/maintainance.conf;
location /ws/ { # WebSocket-related requests are passed directly to the backend.
if ($maintainanceMode) { # If the server maintainance flag is set,
return 503; # then return the 503 error page.
}
proxy_pass http://backend; # Passing requests to the backend.
proxy_http_version 1.1; # Setting HTTP version to 1.1 in order to use "keep-alive" connections.
proxy_set_header Upgrade $http_upgrade; # WebSocket-related header.
proxy_set_header Connection "upgrade"; # WebSocket-related header.
proxy_set_header X-Client-IP $remote_addr; # If this header is not set, IP addresses will always be 127.0.0.1.
}
location / { # The main location.
if ($maintainanceMode) { # If the server maintainance flag is set,
return 503; # then return the 503 error page.
}
proxy_set_header X-Client-IP $remote_addr; # If this header is not set, IP addresses will always be 127.0.0.1.
# Uncomment the following lines to enable in-memory caching.
# proxy_cache ram;
# proxy_cache_valid 200 1h;
# proxy_no_cache $nocache;
# proxy_pass http://127.0.0.1:80;
# Comment out the following lines to enable in-memory caching.
root /path/to/ololord.js/public; # You must change the path to your "ololord.js/public" directory.
try_files $uri $uri/index.html @ololord; # Trying to seve static files. If not found, passing the request to the special location.
}
location @ololord { # This location passes the request directly to the backend.
proxy_http_version 1.1; # Setting HTTP version to 1.1 in order to use "keep-alive" connections.
proxy_set_header Connection "";
proxy_set_header X-Client-IP $remote_addr; # If this header is not set, IP addresses will always be 127.0.0.1.
proxy_pass http://backend; # Passing the request.
}
error_page 503 /503.html; # Custom 503 error page. Create "ololord.js/public/error" directory and place a "503.html" file there.
location = /503.html { # Special location to serve the custom 503 error page.
root /path/to/ololord.js/public/error; # You must change the path to your "ololord.js/public/error" directory.
}
}
server { # The backup server.
listen 127.0.0.1:8200; # Listening locally at port 8200.
location / { # Always returning the custom 503 error page if the main server is down.
return 503;
}
error_page 503 /503.html; # See the custom error page declaration description above.
location = /503.html {
root /ololord.js/public/error;
}
}
# Uncomment the following lines to enable in-memory caching.
# server { # Special proxy server for enabling in-memory caching.
# listen 127.0.0.1:80; # Listening locally at port 8200.
# location / { # The main caching proxy server location.
# internal; # The location is only available internally.
# root /path/to/ololord.js/public; # You must change the path to your "ololord.js/public" directory.
# try_files $uri $uri/index.html @ololord; # Trying to seve static files. If not found, passing the request to the special location.
# }
# location @ololord { # This location passes the request directly to the backend.
# proxy_http_version 1.1; # Setting HTTP version to 1.1 in order to use "keep-alive" connections.
# proxy_set_header Connection "";
# proxy_set_header X-Client-IP $remote_addr; # If this header is not set, IP addresses will always be 127.0.0.1.
# proxy_pass http://backend; # Passing the request.
# }
# }
}
You may got to https://www.startssl.com/ to get a free SSL certificate. You will have to verify your site and then request a certificate. Don't forget to uncomment the corresponding lines in the config file.
An unencrypted certificate key may be created from the encrypted on with the following command:
openssl rsa -in /path/to/encrypted/key -out /path/to/new/unencrypted/key
If yo used the above config template, create /etc/nginx/blocked_ips.conf file and uncomment the following line: # include /etc/nginx/blocked_ips.conf;. Now you may add blocking rules to the file like this:
if ( $remote_addr ~* "123.45.67.8" ) { return 403; } # Blocking a specific IP address.
if ( $remote_addr ~* "123.45.67.*" ) { return 403; } # Blocking several IP addresses.
if ( $http_x_forwarded_for ~* "123.45.67.*" ) { return 403; } # Blocking several IP addresses by the "X-Forwarded-For" header.
If yo used the above config template, create /etc/nginx/block_tor.conf and /etc/nginx/blocked_ips_tor.conf files and uncomment the following line: # include /etc/nginx/block_tor.conf;.
It is not recommended to block Tor nodes normally, so you may block them only when spamers uses them to access your site. So, you may use the following script to temporarily enable/disable Tor nodes blocking:
#!/bin/bash
if [[ "1" == $1 ]]; then
echo "include /etc/nginx/blocked_ips_tor.conf;" > /etc/nginx/block_tor.conf
else
echo " " > /etc/nginx/includeblock_tor.conf
fi
service nginx restart
Create a file block-tor with the above content in the /usr/bin directory, then use chmod +x /usr/bin/block-tor to make it executable. Now you may block Tor nodes with the block-tor 1 command and unblock them with the block-tor 0 command.
If yo used the above config template, create /etc/nginx/maintainance.conf file and uncomment the following line: # include /etc/nginx/maintainance.conf;.
Now, create a file maintainance (I prefer the short name om) in the /usr/bin directory with the following content:
#!/bin/bash
echo "set \$maintainanceMode $1;" > /etc/nginx/maintainance.conf
service nginx restart
Make the file executable withe the chmod +x /usr/bin/maintainance command.
Don't forget to create the 503.html file in the ololord.js/public/error directory.
Now you may enable maintainance mode with the maintainance 1 command and disable it with the maintainance 0 command. When maintainance mode is enabled, all requests will be answered with the 503 error code and the custom 503 error page will be returned. You may enable maintainance mode when restarting the ololord.js app or performing other maintainance stuff.