jb-alvarado · September 29, 2020 10:10
diff --git a/edge.conf b/edge.conf
 proxy_cache_path /mnt/ramdisk/cache_temp use_temp_path=off keys_zone=cache_temp:10m max_size=1536m inactive=1h;

 server {
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/edge.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/edge.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    server_name edge.example.org;
    set $upstream origin.example.org;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 

    keepalive_timeout 0;
    set $cors_origin '';

    if ($http_origin ~ '^https?://(localhost|example\.org|edge\.example\.org)') {
        set $cors_origin $http_origin;
    }

    location / {
        add_header 'Access-Control-Allow-Origin' $cors_origin;
        add_header X-Cache-Status $upstream_cache_status;

        proxy_cache cache_temp;
        proxy_cache_lock on;
        proxy_cache_valid 404 1s;
        proxy_pass https://$upstream;
    }

    access_log off;
 }
diff --git a/origin.conf b/origin.conf
 server {
    listen 443 ssl;
 
    # SSL config
    ssl_certificate /etc/letsencrypt/live/origin.example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/origin.example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Make site accessible from http://localhost/
    server_name origin.example.org;

    set $upstream hls.example.org;

    gzip on;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/vnd.apple.mpegurl;
    gzip_min_length 1000;

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; 

    location / {
        add_header Access-Control-Expose-Headers Content-Length;
        add_header Cache-Control "max-age=86400";
     }

     location ~* \.(m3u8|ts)$ {
        add_header Access-Control-Expose-Headers Content-Length;
        add_header Cache-Control "max-age=3600";

        types {
            application/vnd.apple.mpegurl m3u8;
            video/mp2t ts;
        }

        location ~* \.m3u8$ {
            add_header Access-Control-Expose-Headers Content-Length;
            add_header Cache-Control "max-age=1";
            proxy_pass http://$upstream;
        }

        proxy_pass_header Authorization;
        proxy_pass http://$upstream;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
        proxy_ssl_session_reuse off;
    }
    access_log off;
 }
	proxy_cache_path /mnt/ramdisk/cache_temp use_temp_path=off keys_zone=cache_temp:10m max_size=1536m inactive=1h;

	server {
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/edge.example.org/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/edge.example.org/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	server_name edge.example.org;
	set $upstream origin.example.org;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	keepalive_timeout 0;
	set $cors_origin '';

	if ($http_origin ~ '^https?://(localhost\|example\.org\|edge\.example\.org)') {
	set $cors_origin $http_origin;
	}

	location / {
	add_header 'Access-Control-Allow-Origin' $cors_origin;
	add_header X-Cache-Status $upstream_cache_status;

	proxy_cache cache_temp;
	proxy_cache_lock on;
	proxy_cache_valid 404 1s;
	proxy_pass https://$upstream;
	}

	access_log off;
	}
	server {
	listen 443 ssl;

	# SSL config
	ssl_certificate /etc/letsencrypt/live/origin.example.org/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/origin.example.org/privkey.pem;
	include /etc/letsencrypt/options-ssl-nginx.conf;
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	# Make site accessible from http://localhost/
	server_name origin.example.org;

	set $upstream hls.example.org;

	gzip on;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/vnd.apple.mpegurl;
	gzip_min_length 1000;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	location / {
	add_header Access-Control-Expose-Headers Content-Length;
	add_header Cache-Control "max-age=86400";
	}

	location ~* \.(m3u8\|ts)$ {
	add_header Access-Control-Expose-Headers Content-Length;
	add_header Cache-Control "max-age=3600";

	types {
	application/vnd.apple.mpegurl m3u8;
	video/mp2t ts;
	}

	location ~* \.m3u8$ {
	add_header Access-Control-Expose-Headers Content-Length;
	add_header Cache-Control "max-age=1";
	proxy_pass http://$upstream;
	}

	proxy_pass_header Authorization;
	proxy_pass http://$upstream;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_http_version 1.1;
	proxy_set_header Connection "";
	proxy_buffering off;
	client_max_body_size 0;
	proxy_read_timeout 36000s;
	proxy_redirect off;
	proxy_ssl_session_reuse off;
	}
	access_log off;
	}