Skip to content

Instantly share code, notes, and snippets.

@robinwl
Created May 1, 2015 07:41
Show Gist options
  • Save robinwl/8c18b607b3972cfa31d3 to your computer and use it in GitHub Desktop.
Save robinwl/8c18b607b3972cfa31d3 to your computer and use it in GitHub Desktop.
nginx as TLS terminator/reverse cache proxy for Apache & ownCloud 8.x
proxy_cache_bypass $cookie_nocache $arg_nocache$arg_comment; # Defines conditions under which the response will not be taken from a cache. If at least one value of the string parameters is not empty and is not equal to “0” then the response will not be taken from the cache.
proxy_cache_bypass $http_pragma $http_authorization;
proxy_cache_key $scheme$proxy_host$request_uri; # Defines a key for caching.
proxy_cache_lock on; # When enabled, only one request at a time will be allowed to populate a new cache element identified according to the proxy_cache_key directive by passing a request to a proxied server.
proxy_cache_methods GET HEAD; # If the client request method is listed in this directive then the response will be cached. “GET” and “HEAD” methods are always added to the list, though it is recommended to specify them explicitly.
proxy_cache_min_uses 1; # Sets the number of requests after which the response will be cached.
proxy_cache_revalidate off; # Enables revalidation of expired cache items using conditional requests with the “If-Modified-Since” and “If-None-Match” header fields.
proxy_cache_use_stale timeout invalid_header http_500 http_502 http_503 http_504; # Determines in which cases a stale cached response can be used when an error occurs during communication with the proxied server.
proxy_connect_timeout 120s; # Defines a timeout for establishing a connection with a proxied server.
##
# Cache one
##
proxy_cache_path /var/cache/nginx/one keys_zone=one:50m
loader_threshold=300 loader_files=200;
proxy_cache_valid 200 302 4w; # Sets caching time for different response codes.
proxy_cache_valid 404 10m;
##
# Cache two
##
proxy_cache_path /var/cache/nginx/two keys_zone=two:50m
loader_threshold=300 loader_files=200;
proxy_cache_valid 200 302 10m; # Sets caching time for different response codes.
proxy_cache_valid 404 1m;
nginx version: nginx/1.6.2
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6
user nginx www-data;
worker_processes 1;
worker_rlimit_nofile 70000;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/cache_zone_one;
include /etc/nginx/cache_zone_two;
include /etc/nginx/cache_params;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
client_max_body_size 1024M;
keepalive_timeout 65;
gzip on;
server_tokens off;
include /etc/nginx/conf.d/*.conf;
}
##
# Upstream: define groups of servers that can be referenced later on
##
upstream owncloud-backend {
server 127.0.0.1:8080;
}
##
# HTTP => HTTPS rewrite
##
server {
listen 80;
server_name owncloud.xxx.xx;
rewrite ^ https://$server_name$request_uri? permanent;
}
##
# Main server
##
server {
##
# Basic config
##
listen 443 ssl spdy;
server_name owncloud.xxx.xx;
root /var/www/owncloud;
index index.html index.htm;
##
# Logging
##
access_log /var/log/nginx/owncloud-access.log;
error_log /var/log/nginx/owncloud-error.log;
##
# Proxy configuration
##
include /etc/nginx/proxy_params;
##
# TLS: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
##
ssl_certificate /etc/nginx/ssl/owncloud.xxx.xx.crt;
ssl_certificate_key /etc/nginx/ssl/owncloud.xxx.xx.key;
ssl_dhparam /etc/nginx/ssl/dhparam-4096.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL';
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_buffer_size 1400;
spdy_headers_comp 0;
keepalive_timeout 70;
resolver 8.8.8.8 8.8.4.4 valid=86400;
resolver_timeout 10;
##
# Miscellaneous security
##
server_tokens off;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
##
# Routes
##
location / {
#add_header X-Match "root";
proxy_pass http://owncloud-backend;
}
location ~ \.php {
#add_header X-Match "php";
proxy_pass http://owncloud-backend;
}
##
# Static content
##
location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf|svg)$ {
#add_header X-Match "static";
root /var/www/owncloud;
expires 30d;
}
##
# Cacheable content for cache group one
##
location =/index.php/core/preview.png {
#add_header X-Match "preview";
add_header X-Cache "1";
add_header X-Cache-Upstream "$upstream_cache_status";
proxy_cache one;
proxy_pass http://owncloud-backend;
}
##
# Cacheable content for cache group two
##
#location =/index.php/cachale.php {
#add_header X-Cache "2";
#add_header X-Cache-Upstream "$upstream_cache_status";
#proxy_cache two;
#proxy_pass http://owncloud-backend;
#}
##
# Gzip
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_buffers 16 8k;
gzip_comp_level 6;
gzip_proxied any;
##
# Open file cache
##
open_file_cache max=10000 inactive=5m;
open_file_cache_valid 2h;
open_file_cache_min_uses 1;
open_file_cache_errors on;
##
# Uploads: https://doc.owncloud.org/server/8.1/admin_manual/installation/nginx_configuration.html
##
client_max_body_size 10G;
fastcgi_buffers 64 4K;
##
# Deny some requests
##
location ~ /\.ht {
deny all;
}
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_read_timeout 120s;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment