simondlr · August 29, 2015 14:08
diff --git a/a.md b/a.md
diff --git a/counterblock.conf b/counterblock.conf
 worker_processes auto;
 # pid /var/run/nginx.pid;
 pid /var/log/nginx.pid;

 events {
  # determines how much clients will be served per worker
  # max clients = worker_connections * worker_processes
  # max clients is also limited by the number of socket connections available on the system (~64k)
  worker_connections 1024;

  # optmized to serve many clients with each thread, essential for linux
  # use epoll; #linux 2.6+

  # accept as many connections as possible, may flood worker connections if set too low
  multi_accept on;

  # (hopefully) improve performance a bit more
  accept_mutex off;
 }

 http {
    # this is helpful due to our use of openresty
    variables_hash_bucket_size 128;
    variables_hash_max_size 1024;

    # don't give version in status string
    server_tokens off;

    # copies data between one FD and other from within the kernel
    # faster then read() + write()
    sendfile on;

    # send headers in one piece, its better then sending them one by one
    tcp_nopush on;

    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;

    # server will close an open connection after this time
    keepalive_timeout 50;

    # more timeouts to help against slowlaris DDOS, etc
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;

    types_hash_max_size 2048;

    #include /etc/nginx/mime.types;
    include mime.types;
    default_type application/octet-stream;

    # Logging Settings
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Gzip Settings
    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    gzip_min_length 500;
    gzip_types text/plain text/css text/comma-separated-values
         application/json text/javascript application/javascript application/x-javascript
         text/xml application/xml application/xml+rss application/atom+xml;
    #^ text/html included by default

    # Rate limiting (basic DDOS protection)
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=15r/s;

    # Utilize HSTS (HTTP Strict Transport Security) to force all traffic to be over HTTPS
    # NOTE: DISABLED BY DEFAULT AS IT WONT WORK WITH SELF SIGNED CERTS. ENABLE IN PRODUCTION MODE.
    # add_header Strict-Transport-Security max-age=31536000;

    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options DENY;

    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    add_header X-Content-Type-Options nosniff;

    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-XSS-Protection "1; mode=block";

    #used by adobe flash
    add_header X-Permitted-Cross-Domain-Policies "master-only";

    # Virtual Host Configs
    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites/*.conf;
    include /usr/local/etc/nginx/sites/*.conf;
 }

 Simon-2:nginx simon$ cat sites/counterblock.conf
 upstream cache_server {
  server 127.0.0.1:6379; #default port
  keepalive 128;
 }
 upstream counterblock_api_server {
  server 127.0.0.1:4100;
  keepalive 30;
 }
 upstream counterblock_t_api_server {
  #server dogeblockd_testnet:14100;
  server 127.0.0.1:14100;
  keepalive 30;
 }

 # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
 # you can tell the browser that it can only download content from the domains you explicitly allow
 # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
 # https://www.owasp.org/index.php/Content_Security_Policy
 # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
 # directives for css and js(if you have inline css or js, you will need to keep it too).
 # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
 add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://query.yahooapis.com; img-src 'self' data: https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' themes.googleusercontent.com fonts.gstatic.com; frame-src 'none'; object-src 'self'; connect-src 'self' ws://testnet.wallet.dogeparty.io wss://$host https://api.rollbar.com;";


 server {
  listen 4126;
  server_name testnet.wallet.dogeparty.io;

  ###############
  # BASE SITE SERVING (STATIC FILES)

  # CACHING - For production use
  open_file_cache max=200000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  location /_asset_img/ {
    access_log off;
    expires 1h;
    alias /home/xcp/.config/counterblockd/asset_img/;
  }
  location /_t_asset_img/  {
    access_log off;
    expires 1h;
    alias /home/xcp/.config/counterblockd-testnet/asset_img/;
  }
  location /src  {
    #For dev/testing (uses unminified resources)
    open_file_cache off;
    expires off;
    alias /home/xcp/counterwallet/src/;
  }
  #location /servers.json  {
  #  #alias /etc/nginx/servers-testnet.json;
  #  alias /Users/simon/code/dogeparty/etc/nginx/servers-testnet.json;
  #}
  location /  {
    access_log off;
    expires 1h;
    root /Users/simon/code/dogeparty/dogeparty-wallet/src/;

    #Enable this during single server system updates
    #root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/;
  }
  #############

  #####
  # TESTNET
  # PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first
  location ^~ /_t_api
  {
    #reject everything except GET, POST and OPTIONS
    limit_except GET POST OPTIONS {
      deny all;
    }

    #include /etc/nginx/sites/counterblock_api_cache.inc;
    #set $redis_db "1";

    # Send to app server if Redis could not answer the request
    error_page 404 405 550 = @t_wsgi_api;
  }
  # PROXY TO COUNTERWALLETD API BACKEND (WSGI)
  location @t_wsgi_api {
    #include /etc/nginx/sites/counterblock_api.inc;
    include /usr/local/etc/nginx/sites/counterblock_api.inc;
    rewrite ^/_t_api/?$ /api/?  break;
    proxy_pass   http://counterblock_t_api_server;
  }
  # PROXY TO COUNTERWALLETD FEED BACKEND (socket.io)
  location ^~ /_t_feed {
    #include /etc/nginx/sites/counterblock_socketio.inc;
    include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
    #proxy_pass   http://dogeblockd_testnet:14101/socket.io;
    proxy_pass   http://127.0.0.1:14101/socket.io;
  }
  # PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io)
  location ^~ /_t_chat {
    #include /etc/nginx/sites/counterblock_socketio.inc;
    include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
    #proxy_pass   http://dogeblockd_testnet:14102/socket.io;
    proxy_pass   http://127.0.0.1:14102/socket.io;
  }
 }

 server {
  listen 80 default_server deferred;
  server_name _;
  rewrite ^ https://$host$request_uri permanent;
 }

 server {
  #DEV PORT (firewall on production systems)
  listen 81;
  server_name _;

  #for nginx newrelic agent
  location /nginx_stub_status {
    #stub_status on;
    access_log off;
    allow 127.0.0.0/8;
    deny all;
  }
 }

 server {
  #listen 443 default_server ssl deferred;
  listen 4127 default_server deferred;
  server_name _;

  ###############
  # SSL - For production use
  # ssl_certificate      /etc/ssl/certs/counterblockd.pem;
  # ssl_certificate      /etc/ssl/certs/wallet_dogeparty_io.crt-bundle;
  # ssl_certificate_key  /etc/ssl/private/dogeparty.key;

  # SSL - For development use
  #ssl_certificate      /etc/ssl/certs/ssl-cert-snakeoil.pem;
  #ssl_certificate_key  /etc/ssl/private/ssl-cert-snakeoil.key;

  # support FS, and BEAST protection - https://coderwall.com/p/ebl2qa
  server_tokens off;
  #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  #ssl_prefer_server_ciphers on;
  #ssl_session_timeout 5m;
  # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

  ###############

  access_log /var/log/nginx/counterblock.access.log;
  error_log /var/log/nginx/counterblock.error.log;
  #access_log logs/counterblock.access.log;
  #error_log logs/counterblock.error.log;

  # basic rate limiting
  limit_conn conn_limit_per_ip 15;
  limit_req zone=req_limit_per_ip burst=100 nodelay;

  # this has to be higher than we'd like otherwise, due to the create_support_case API call...
  client_max_body_size 1m;

  ###############
  # BASE SITE SERVING (STATIC FILES)

  # CACHING - For production use
  open_file_cache max=200000 inactive=20s;
  open_file_cache_valid 30s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  location /_asset_img/ {
    access_log off;
    expires 1h;
    alias /home/xcp/.config/counterblockd/asset_img/;
  }
  location /src  {
    #For dev/testing (uses unminified resources)
    open_file_cache off;
    expires off;
    alias /home/xcp/counterwallet/src/;
  }
  #location /servers.json  {
  #  alias /etc/nginx/servers-livenet.json;
  #}
  location /  {
    access_log off;
    expires 1h;
    #root /usr/local/nginx/html/wallet/;
    root /Users/simon/code/dogeparty/dogeparty-wallet/src/;

    #Enable this during single server system updates
    #root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/;
  }
  #############

  #####
  # PRODUCTION
  # PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first
  location ^~ /_api
  {
    #reject everything except GET, POST and OPTIONS
    limit_except GET POST OPTIONS {
      deny all;
    }

    #include /etc/nginx/sites/counterblock_api_cache.inc;
    #set $redis_db "0";

    # Send to app server if Redis could not answer the request
    error_page 404 405 550 = @wsgi_api;
  }
  # PROXY TO COUNTERWALLETD API BACKEND (WSGI)
  location @wsgi_api {
    #include /etc/nginx/sites/counterblock_api.inc;
    include /usr/local/etc/nginx/sites/counterblock_api.inc;
    rewrite ^/_api/?$ /api/?  break;
    proxy_pass   http://counterblock_api_server;
  }
  # PROXY TO COUNTERWALLETD FEED BACKEND (socket.io)
  location ^~ /_feed {
    #include /etc/nginx/sites/counterblock_socketio.inc;
    include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
    #proxy_pass   http://dogeblockd:4101/socket.io;
    proxy_pass   http://127.0.0.1:4101/socket.io;
  }
  # PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io)
  location ^~ /_chat {
    #include /etc/nginx/sites/counterblock_socketio.inc;
    include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
    #proxy_pass   http://dogeblockd:4102/socket.io;
    proxy_pass   http://127.0.0.1:4102/socket.io;
  }
 }
diff --git a/nginx.conf b/nginx.conf
 worker_processes auto;
 # pid /var/run/nginx.pid;
 pid /var/log/nginx.pid;

 events {
  # determines how much clients will be served per worker
  # max clients = worker_connections * worker_processes
  # max clients is also limited by the number of socket connections available on the system (~64k)
  worker_connections 1024;

  # optmized to serve many clients with each thread, essential for linux
  # use epoll; #linux 2.6+

  # accept as many connections as possible, may flood worker connections if set too low
  multi_accept on;

  # (hopefully) improve performance a bit more
  accept_mutex off;
 }

 http {
    # this is helpful due to our use of openresty
    variables_hash_bucket_size 128;
    variables_hash_max_size 1024;

    # don't give version in status string
    server_tokens off;

    # copies data between one FD and other from within the kernel
    # faster then read() + write()
    sendfile on;

    # send headers in one piece, its better then sending them one by one
    tcp_nopush on;

    # don't buffer data sent, good for small data bursts in real time
    tcp_nodelay on;

    # server will close an open connection after this time
    keepalive_timeout 50;

    # more timeouts to help against slowlaris DDOS, etc
    client_body_timeout 10;
    client_header_timeout 10;
    send_timeout 10;

    types_hash_max_size 2048;

    #include /etc/nginx/mime.types;
    include mime.types;
    default_type application/octet-stream;

    # Logging Settings
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Gzip Settings
    gzip on;
    gzip_http_version 1.1;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";
    gzip_min_length 500;
    gzip_types text/plain text/css text/comma-separated-values
         application/json text/javascript application/javascript application/x-javascript
         text/xml application/xml application/xml+rss application/atom+xml;
    #^ text/html included by default

    # Rate limiting (basic DDOS protection)
    limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
    limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=15r/s;

    # Utilize HSTS (HTTP Strict Transport Security) to force all traffic to be over HTTPS
    # NOTE: DISABLED BY DEFAULT AS IT WONT WORK WITH SELF SIGNED CERTS. ENABLE IN PRODUCTION MODE.
    # add_header Strict-Transport-Security max-age=31536000;

    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
    # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options DENY;

    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
    # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
    add_header X-Content-Type-Options nosniff;

    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    add_header X-XSS-Protection "1; mode=block";

    #used by adobe flash
    add_header X-Permitted-Cross-Domain-Policies "master-only";

    # Virtual Host Configs
    #include /etc/nginx/conf.d/*.conf;
    #include /etc/nginx/sites/*.conf;
    include /usr/local/etc/nginx/sites/*.conf;
 }
	worker_processes auto;
	# pid /var/run/nginx.pid;
	pid /var/log/nginx.pid;

	events {
	# determines how much clients will be served per worker
	# max clients = worker_connections * worker_processes
	# max clients is also limited by the number of socket connections available on the system (~64k)
	worker_connections 1024;

	# optmized to serve many clients with each thread, essential for linux
	# use epoll; #linux 2.6+

	# accept as many connections as possible, may flood worker connections if set too low
	multi_accept on;

	# (hopefully) improve performance a bit more
	accept_mutex off;
	}

	http {
	# this is helpful due to our use of openresty
	variables_hash_bucket_size 128;
	variables_hash_max_size 1024;

	# don't give version in status string
	server_tokens off;

	# copies data between one FD and other from within the kernel
	# faster then read() + write()
	sendfile on;

	# send headers in one piece, its better then sending them one by one
	tcp_nopush on;

	# don't buffer data sent, good for small data bursts in real time
	tcp_nodelay on;

	# server will close an open connection after this time
	keepalive_timeout 50;

	# more timeouts to help against slowlaris DDOS, etc
	client_body_timeout 10;
	client_header_timeout 10;
	send_timeout 10;

	types_hash_max_size 2048;

	#include /etc/nginx/mime.types;
	include mime.types;
	default_type application/octet-stream;

	# Logging Settings
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	# Gzip Settings
	gzip on;
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	gzip_disable "MSIE [1-6]\.(?!.*SV1)";
	gzip_min_length 500;
	gzip_types text/plain text/css text/comma-separated-values
	application/json text/javascript application/javascript application/x-javascript
	text/xml application/xml application/xml+rss application/atom+xml;
	#^ text/html included by default

	# Rate limiting (basic DDOS protection)
	limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
	limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=15r/s;

	# Utilize HSTS (HTTP Strict Transport Security) to force all traffic to be over HTTPS
	# NOTE: DISABLED BY DEFAULT AS IT WONT WORK WITH SELF SIGNED CERTS. ENABLE IN PRODUCTION MODE.
	# add_header Strict-Transport-Security max-age=31536000;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options DENY;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	#used by adobe flash
	add_header X-Permitted-Cross-Domain-Policies "master-only";

	# Virtual Host Configs
	#include /etc/nginx/conf.d/*.conf;
	#include /etc/nginx/sites/*.conf;
	include /usr/local/etc/nginx/sites/*.conf;
	}

	Simon-2:nginx simon$ cat sites/counterblock.conf
	upstream cache_server {
	server 127.0.0.1:6379; #default port
	keepalive 128;
	}
	upstream counterblock_api_server {
	server 127.0.0.1:4100;
	keepalive 30;
	}
	upstream counterblock_t_api_server {
	#server dogeblockd_testnet:14100;
	server 127.0.0.1:14100;
	keepalive 30;
	}

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://query.yahooapis.com; img-src 'self' data: https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' themes.googleusercontent.com fonts.gstatic.com; frame-src 'none'; object-src 'self'; connect-src 'self' ws://testnet.wallet.dogeparty.io wss://$host https://api.rollbar.com;";


	server {
	listen 4126;
	server_name testnet.wallet.dogeparty.io;

	###############
	# BASE SITE SERVING (STATIC FILES)

	# CACHING - For production use
	open_file_cache max=200000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	location /_asset_img/ {
	access_log off;
	expires 1h;
	alias /home/xcp/.config/counterblockd/asset_img/;
	}
	location /_t_asset_img/ {
	access_log off;
	expires 1h;
	alias /home/xcp/.config/counterblockd-testnet/asset_img/;
	}
	location /src {
	#For dev/testing (uses unminified resources)
	open_file_cache off;
	expires off;
	alias /home/xcp/counterwallet/src/;
	}
	#location /servers.json {
	# #alias /etc/nginx/servers-testnet.json;
	# alias /Users/simon/code/dogeparty/etc/nginx/servers-testnet.json;
	#}
	location / {
	access_log off;
	expires 1h;
	root /Users/simon/code/dogeparty/dogeparty-wallet/src/;

	#Enable this during single server system updates
	#root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/;
	}
	#############

	#####
	# TESTNET
	# PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first
	location ^~ /_t_api
	{
	#reject everything except GET, POST and OPTIONS
	limit_except GET POST OPTIONS {
	deny all;
	}

	#include /etc/nginx/sites/counterblock_api_cache.inc;
	#set $redis_db "1";

	# Send to app server if Redis could not answer the request
	error_page 404 405 550 = @t_wsgi_api;
	}
	# PROXY TO COUNTERWALLETD API BACKEND (WSGI)
	location @t_wsgi_api {
	#include /etc/nginx/sites/counterblock_api.inc;
	include /usr/local/etc/nginx/sites/counterblock_api.inc;
	rewrite ^/_t_api/?$ /api/? break;
	proxy_pass http://counterblock_t_api_server;
	}
	# PROXY TO COUNTERWALLETD FEED BACKEND (socket.io)
	location ^~ /_t_feed {
	#include /etc/nginx/sites/counterblock_socketio.inc;
	include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
	#proxy_pass http://dogeblockd_testnet:14101/socket.io;
	proxy_pass http://127.0.0.1:14101/socket.io;
	}
	# PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io)
	location ^~ /_t_chat {
	#include /etc/nginx/sites/counterblock_socketio.inc;
	include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
	#proxy_pass http://dogeblockd_testnet:14102/socket.io;
	proxy_pass http://127.0.0.1:14102/socket.io;
	}
	}

	server {
	listen 80 default_server deferred;
	server_name _;
	rewrite ^ https://$host$request_uri permanent;
	}

	server {
	#DEV PORT (firewall on production systems)
	listen 81;
	server_name _;

	#for nginx newrelic agent
	location /nginx_stub_status {
	#stub_status on;
	access_log off;
	allow 127.0.0.0/8;
	deny all;
	}
	}

	server {
	#listen 443 default_server ssl deferred;
	listen 4127 default_server deferred;
	server_name _;

	###############
	# SSL - For production use
	# ssl_certificate /etc/ssl/certs/counterblockd.pem;
	# ssl_certificate /etc/ssl/certs/wallet_dogeparty_io.crt-bundle;
	# ssl_certificate_key /etc/ssl/private/dogeparty.key;

	# SSL - For development use
	#ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
	#ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

	# support FS, and BEAST protection - https://coderwall.com/p/ebl2qa
	server_tokens off;
	#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	#ssl_prefer_server_ciphers on;
	#ssl_session_timeout 5m;
	# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	###############

	access_log /var/log/nginx/counterblock.access.log;
	error_log /var/log/nginx/counterblock.error.log;
	#access_log logs/counterblock.access.log;
	#error_log logs/counterblock.error.log;

	# basic rate limiting
	limit_conn conn_limit_per_ip 15;
	limit_req zone=req_limit_per_ip burst=100 nodelay;

	# this has to be higher than we'd like otherwise, due to the create_support_case API call...
	client_max_body_size 1m;

	###############
	# BASE SITE SERVING (STATIC FILES)

	# CACHING - For production use
	open_file_cache max=200000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	location /_asset_img/ {
	access_log off;
	expires 1h;
	alias /home/xcp/.config/counterblockd/asset_img/;
	}
	location /src {
	#For dev/testing (uses unminified resources)
	open_file_cache off;
	expires off;
	alias /home/xcp/counterwallet/src/;
	}
	#location /servers.json {
	# alias /etc/nginx/servers-livenet.json;
	#}
	location / {
	access_log off;
	expires 1h;
	#root /usr/local/nginx/html/wallet/;
	root /Users/simon/code/dogeparty/dogeparty-wallet/src/;

	#Enable this during single server system updates
	#root /home/xcp/counterpartyd_build/dist/linux/nginx/upgrade_root/;
	}
	#############

	#####
	# PRODUCTION
	# PROXY TO COUNTERWALLETD API REQUESTS (WSGI) - try to hit the cache in redis first
	location ^~ /_api
	{
	#reject everything except GET, POST and OPTIONS
	limit_except GET POST OPTIONS {
	deny all;
	}

	#include /etc/nginx/sites/counterblock_api_cache.inc;
	#set $redis_db "0";

	# Send to app server if Redis could not answer the request
	error_page 404 405 550 = @wsgi_api;
	}
	# PROXY TO COUNTERWALLETD API BACKEND (WSGI)
	location @wsgi_api {
	#include /etc/nginx/sites/counterblock_api.inc;
	include /usr/local/etc/nginx/sites/counterblock_api.inc;
	rewrite ^/_api/?$ /api/? break;
	proxy_pass http://counterblock_api_server;
	}
	# PROXY TO COUNTERWALLETD FEED BACKEND (socket.io)
	location ^~ /_feed {
	#include /etc/nginx/sites/counterblock_socketio.inc;
	include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
	#proxy_pass http://dogeblockd:4101/socket.io;
	proxy_pass http://127.0.0.1:4101/socket.io;
	}
	# PROXY TO COUNTERWALLETD CHAT BACKEND (socket.io)
	location ^~ /_chat {
	#include /etc/nginx/sites/counterblock_socketio.inc;
	include /usr/local/etc/nginx/sites/counterblock_socketio.inc;
	#proxy_pass http://dogeblockd:4102/socket.io;
	proxy_pass http://127.0.0.1:4102/socket.io;
	}
	}