Skip to content

Instantly share code, notes, and snippets.

@mburns

mburns/conf_d_default_conf

Last active September 15, 2020 11:36
Show Gist options
  • Save mburns/9dcfb02bd762c81d4bab66f416554da9 to your computer and use it in GitHub Desktop.
Save mburns/9dcfb02bd762c81d4bab66f416554da9 to your computer and use it in GitHub Desktop.
Download ZIP
There is a top-level `nginx.conf` and then in `conf.d`, we have a `default.conf` for HTTP and a `gateway.conf` for HTTPS. Removed some stanzas about domain-specific redirects and legacy rewrite rules.
Raw
conf_d_default_conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header X-IPFS-POP $hostname always;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
}
server {
listen 80;
listen [::]:80;
server_name ipfs.io gateway.ipfs.io;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header X-IPFS-POP $hostname always;
location ~ "^/(ipfs|ipns|api)(/|$)" {
proxy_set_header Host "";
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
location / {
return 301 https://$http_host$request_uri;
}
}
Raw
conf_d_gateway_conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name
{% for domain in nginx_gateway_server_names %}
{{ domain }}
{% endfor %} ;
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'X-Requested-With, Range, Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header 'Access-Control-Expose-Headers' 'Content-Range, X-Chunked-Output, X-Stream-Output' always;
add_header X-IPFS-POP $hostname always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
ssl_certificate /etc/nginx/gateway.crt;
ssl_certificate_key /etc/nginx/gateway.key;
ssl_dhparam /etc/nginx/dhparam.pem;
ssl_trusted_certificate /etc/nginx/trustchain.pem;
ssl on;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
resolver {{ dns_nameserver }};
if ($http_host ~ ^archives\.ipfs\.io$) {
return 307 https://awesome.ipfs.io/datasets/;
}
location ~ ^/(ipfs|ipns)/.*\.sxg$ {
proxy_hide_header Content-Type;
add_header Content-Type "application/signed-exchange;v=b3";
add_header X-Content-Type-Options "nosniff";
proxy_pass http://backend;
}
location /refs/ {
rewrite "^/refs(/.*)$" $1 break;
proxy_set_header Host refs.ipfs.io;
proxy_set_header X-Ipfs-Gateway-Prefix /refs;
proxy_pass http://backend;
}
location ~ "^/api(/|$)" {
proxy_set_header Host "";
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
location ~ "^/ipfs(/|$)" {
proxy_set_header Host "";
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
location ~ "^/ipns(/|$)" {
proxy_set_header Host "";
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Ipfs-Gateway-Prefix "";
proxy_pass http://backend;
}
}
Raw
nginx_conf
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 10240;
# multi_accept on;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
server_names_hash_bucket_size 64;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# copied from https://github.com/h5bp/server-configs-nginx/blob/master/h5bp/web_performance/compression.conf
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
##
# go-ipfs config
##
proxy_connect_timeout 5s;
proxy_buffering off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
include blacklist.conf;
include denylist.conf;
# These are unfortunately still hardcoded in go-ipfs.
# We're removing them from the upstream response so they
# don't mess with the additional header we set.
proxy_hide_header Access-Control-Allow-Headers;
proxy_hide_header Access-Control-Expose-Headers;
# We have to set this header in go-ipfs because otherwise
# it'll do it's origin check based on its defaults (localhost et al).
proxy_hide_header Access-Control-Allow-Origin;
upstream backend {
server 127.0.0.1:8080;
keepalive 64;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment