Created
May 24, 2016 21:39
-
-
Save jamesez/d61ebdde1c3a1b4e102943c21bf26acf to your computer and use it in GitHub Desktop.
munki caching server config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| daemon off; # docker requirement | |
| worker_processes 6; | |
| pid /tmp/nginx.pid; | |
| user nginx; | |
| events { | |
| worker_connections 768; | |
| } | |
| http { | |
| # optimize for large files | |
| sendfile off; | |
| directio 512; | |
| aio on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 180; | |
| # open file caching | |
| open_file_cache max=2000 inactive=5m; | |
| open_file_cache_valid 5m; | |
| open_file_cache_min_uses 1; | |
| open_file_cache_errors on; | |
| # MIME type handling | |
| types_hash_max_size 2048; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| types { | |
| application/x-plist plist; | |
| } | |
| # Logging Settings | |
| access_log /logs/access.log; | |
| error_log /logs/error.log; | |
| # Don't include the nginx version number, etc | |
| server_tokens off; | |
| # Gzip Settings | |
| gzip on; | |
| gzip_disable "msie6"; | |
| # caching | |
| proxy_cache_path /cache levels=2:2 max_size=400g keys_zone=munkicache:15m inactive=30d; | |
| proxy_temp_path /proxy_tmp; | |
| proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; | |
| proxy_cache_valid 200 302 404 2h; | |
| proxy_cache_revalidate on; | |
| proxy_cache_lock on; | |
| # proxy_cache_lock_age 1m; # our nginx is 1.4, this needs 1.7.8 | |
| server { | |
| listen 8080; | |
| server_name [not provided]; | |
| proxy_cache munkicache; | |
| # Handle asu traffic on non-https | |
| # Software Update gets totally bonkers if it sees https origination in the munki local catalog - can't verify the cert, so it bails badly | |
| location /asu/ { | |
| try_files @upstream @upstream; | |
| } | |
| # Turns out, primitive EFI firmware can't handle ssl either | |
| location /nbi/ { | |
| try_files @upstream @upstream; | |
| } | |
| # nagios, etc | |
| location = / { | |
| return 204; | |
| } | |
| location / { | |
| # 10.7.x - Lion | |
| if ( $http_user_agent ~ "Darwin/11" ){ | |
| rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| } | |
| # 10.8.x - Mountain Lion | |
| if ( $http_user_agent ~ "Darwin/12" ){ | |
| rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| } | |
| # 10.9.x - Mavericks | |
| if ( $http_user_agent ~ "Darwin/13" ){ | |
| rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| } | |
| # 10.10 - Yosemite | |
| if ( $http_user_agent ~ "Darwin/14" ){ | |
| rewrite ^/seed(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.10seed-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| } | |
| # 10.11 - | |
| if ( $http_user_agent ~ "Darwin/15" ){ | |
| rewrite ^/seed(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.11seed-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| rewrite ^/index(.*)\.sucatalog$ /asu/content/catalogs/others/index-10.11-10.10-10.9-mountainlion-lion-snowleopard-leopard.merged-1$1.sucatalog last; | |
| } | |
| # Redirect over to https | |
| rewrite ^ https://servername$request_uri? permanent; | |
| } | |
| location @upstream { | |
| proxy_pass http://master-server; | |
| } | |
| } | |
| # https server | |
| server { | |
| listen 8443; | |
| server_name [not provided]; | |
| proxy_cache munkicache; | |
| ssl on; | |
| ssl_certificate /ssl/server.crt; | |
| ssl_certificate_key /ssl/server.key; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 5m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers HIGH:!aNULL:!MD5; | |
| ssl_prefer_server_ciphers on; | |
| location /packages/client_resources/ { | |
| proxy_cache_valid 404 15d; | |
| try_files @upstream @upstream; | |
| } | |
| location /packages/icons/ { | |
| proxy_cache_valid 404 12h; | |
| try_files @upstream @upstream; | |
| } | |
| location /clients/ { | |
| proxy_cache_valid 200 302 404 30m; | |
| try_files @upstream @upstream; | |
| } | |
| # nagios, etc | |
| location = / { | |
| return 204; | |
| } | |
| location / { | |
| # sucatalog: get out of here | |
| rewrite ^/(.*)\.sucatalog$ http://server$request_uri permanent; | |
| try_files @upstream @upstream; | |
| } | |
| location @upstream { | |
| proxy_pass http://master-server; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment