noellabo · April 26, 2020 05:10
diff --git a/lightsail_to_s3_reverse_proxy.conf b/lightsail_to_s3_reverse_proxy.conf
 proxy_cache_path               /var/cache/media levels=2:2 keys_zone=MEDIA_CACHE:100m inactive=7d max_size=30g;

 server {
  listen                       80;
  server_name                  files.example.com;
  return                       301 https://$host$request_uri;
 }

 server {
  listen                       443 ssl http2;
  server_name                  files.example.com;

  ssl_protocols                TLSv1.2 TLSv1.3;
  ssl_ciphers                  ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers    on;
  ssl_stapling                 on;
  ssl_stapling_verify          on;
  ssl_session_timeout          1d;
  ssl_session_cache            shared:SSL:10m;
  ssl_session_tickets          off;

  ssl_certificate              /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key          /etc/letsencrypt/live/example.com/privkey.pem;
  ssl_trusted_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_dhparam                  /etc/ssl/private/dhparam.pem;
  ssl_ecdh_curve               secp384r1;

  sendfile                     on;
  tcp_nodelay                  on;
  keepalive_timeout            65;
  client_max_body_size         80m;

  location / {
    set                        $s3_host backetname.s3.ap-northeast-1.amazonaws.com;
    proxy_pass                 http://$s3_host;
    proxy_http_version         1.1;
    proxy_pass_request_headers off;
    proxy_set_header           X-Real-IP         $remote_addr;
    proxy_set_header           X-Forwarded-Proto $scheme;
    proxy_set_header           X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header           Host $s3_host;
    proxy_set_header           Connection    "";
    proxy_set_header           Authorization "";
    proxy_set_header           Proxy         "";
    proxy_set_header           Cookie        "";
    proxy_ignore_headers       Set-Cookie;
    proxy_hide_header          Set-Cookie;
    proxy_hide_header          x-amz-id-2;
    proxy_hide_header          x-amz-request-id;
    proxy_hide_header          x-amz-meta-server-side-encryption;
    proxy_hide_header          x-amz-server-side-encryption;
    proxy_intercept_errors     on;
    proxy_buffering            off;
    proxy_request_buffering    off;
    proxy_redirect             off;
    proxy_read_timeout         600s;
    proxy_next_upstream        error timeout http_500 http_502 http_503 http_504;
    proxy_cache                MEDIA_CACHE;
    proxy_cache_lock           on;
    proxy_cache_lock_age       5s;
    proxy_cache_lock_timeout   5s;
    proxy_cache_valid          200 304 60m;
    proxy_cache_use_stale      error timeout updating http_500 http_502 http_503 http_504;
    proxy_cache_revalidate     on;
    add_header                 Cache-Control "public, max-age=31536000, immutable";
    add_header                 X-Cache-Status $upstream_cache_status;
    add_header                 Access-Control-Allow-Origin *;
    add_header                 Access-Control-Allow-Methods "HEAD, GET, OPTIONS";
    add_header                 Access-Control-Allow-Headers "Origin, Authorization, Accept";
    add_header                 Access-Control-Allow-Credentials true;
    add_header                 Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
    expires                    max;
    resolver                   10.0.0.2 valid=300s;
    resolver_timeout           10s;
    access_log                 off;
    limit_except               HEAD GET OPTIONS { deny all; }
  }

  location /health {
    empty_gif;
    access_log off;
    break;
  }

  error_page 403 404 500 501 502 503 504 /health;
 }
	proxy_cache_path /var/cache/media levels=2:2 keys_zone=MEDIA_CACHE:100m inactive=7d max_size=30g;

	server {
	listen 80;
	server_name files.example.com;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;
	server_name files.example.com;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers on;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_dhparam /etc/ssl/private/dhparam.pem;
	ssl_ecdh_curve secp384r1;

	sendfile on;
	tcp_nodelay on;
	keepalive_timeout 65;
	client_max_body_size 80m;

	location / {
	set $s3_host backetname.s3.ap-northeast-1.amazonaws.com;
	proxy_pass http://$s3_host;
	proxy_http_version 1.1;
	proxy_pass_request_headers off;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $s3_host;
	proxy_set_header Connection "";
	proxy_set_header Authorization "";
	proxy_set_header Proxy "";
	proxy_set_header Cookie "";
	proxy_ignore_headers Set-Cookie;
	proxy_hide_header Set-Cookie;
	proxy_hide_header x-amz-id-2;
	proxy_hide_header x-amz-request-id;
	proxy_hide_header x-amz-meta-server-side-encryption;
	proxy_hide_header x-amz-server-side-encryption;
	proxy_intercept_errors on;
	proxy_buffering off;
	proxy_request_buffering off;
	proxy_redirect off;
	proxy_read_timeout 600s;
	proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
	proxy_cache MEDIA_CACHE;
	proxy_cache_lock on;
	proxy_cache_lock_age 5s;
	proxy_cache_lock_timeout 5s;
	proxy_cache_valid 200 304 60m;
	proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
	proxy_cache_revalidate on;
	add_header Cache-Control "public, max-age=31536000, immutable";
	add_header X-Cache-Status $upstream_cache_status;
	add_header Access-Control-Allow-Origin *;
	add_header Access-Control-Allow-Methods "HEAD, GET, OPTIONS";
	add_header Access-Control-Allow-Headers "Origin, Authorization, Accept";
	add_header Access-Control-Allow-Credentials true;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
	expires max;
	resolver 10.0.0.2 valid=300s;
	resolver_timeout 10s;
	access_log off;
	limit_except HEAD GET OPTIONS { deny all; }
	}

	location /health {
	empty_gif;
	access_log off;
	break;
	}

	error_page 403 404 500 501 502 503 504 /health;
	}