mirror of
https://github.com/philomena-dev/philomena.git
synced 2024-12-05 00:57:59 +01:00
144 lines
3.6 KiB
Nginx Configuration File
144 lines
3.6 KiB
Nginx Configuration File
upstream philomena {
|
|
server app:4000 fail_timeout=0;
|
|
}
|
|
|
|
map $uri $custom_content_type {
|
|
default "text/html";
|
|
~(.*\.png)$ "image/png";
|
|
~(.*\.jpe?g)$ "image/jpeg";
|
|
~(.*\.gif)$ "image/gif";
|
|
~(.*\.svg)$ "image/svg+xml";
|
|
~(.*\.mp4)$ "video/mp4";
|
|
~(.*\.webm)$ "video/webm";
|
|
}
|
|
|
|
lua_package_path '/etc/nginx/lua/?.lua;;';
|
|
resolver 1.1.1.1 ipv6=off;
|
|
|
|
init_by_lua_block {
|
|
aws_sig = require('aws-signature')
|
|
|
|
function clear_request()
|
|
-- Get rid of any client state that could cause
|
|
-- issues for the proxied request
|
|
for h, _ in pairs(ngx.req.get_headers()) do
|
|
if string.lower(h) ~= 'range' then
|
|
ngx.req.clear_header(h)
|
|
end
|
|
end
|
|
|
|
ngx.req.set_uri_args({})
|
|
ngx.req.discard_body()
|
|
end
|
|
|
|
function sign_aws_request()
|
|
-- The API token used should not allow writing, but
|
|
-- sanitize this anyway to stop an upstream error
|
|
if ngx.req.get_method() ~= 'GET' then
|
|
ngx.status = ngx.HTTP_UNAUTHORIZED
|
|
ngx.say('Unauthorized')
|
|
return ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
|
end
|
|
|
|
clear_request()
|
|
aws_sig.s3_set_headers("$S3_HOST", ngx.var.uri)
|
|
end
|
|
}
|
|
|
|
proxy_cache_path /var/www/cache levels=1:2 keys_zone=s3-cache:8m max_size=1000m inactive=600m;
|
|
|
|
server {
|
|
listen 80 default;
|
|
listen [::]:80;
|
|
|
|
root $APP_DIR/priv/static;
|
|
|
|
client_max_body_size 125000000;
|
|
client_body_buffer_size 128k;
|
|
|
|
location ~ ^/$S3_BUCKET {
|
|
internal;
|
|
|
|
access_by_lua "sign_aws_request()";
|
|
proxy_pass "$S3_SCHEME://$S3_HOST:$S3_PORT";
|
|
proxy_cache s3-cache;
|
|
proxy_cache_valid 1h;
|
|
proxy_hide_header Content-Type;
|
|
proxy_ssl_server_name on;
|
|
|
|
expires max;
|
|
add_header Cache-Control public;
|
|
add_header Content-Type $custom_content_type;
|
|
}
|
|
|
|
location ~ ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {
|
|
rewrite ^/img/download/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" break;
|
|
|
|
access_by_lua "sign_aws_request()";
|
|
proxy_pass "$S3_SCHEME://$S3_HOST:$S3_PORT";
|
|
proxy_cache s3-cache;
|
|
proxy_cache_valid 1h;
|
|
proxy_hide_header Content-Type;
|
|
proxy_ssl_server_name on;
|
|
|
|
expires max;
|
|
add_header Cache-Control public;
|
|
add_header Content-Type $custom_content_type;
|
|
add_header Content-Disposition "attachment";
|
|
}
|
|
|
|
location ~ ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ {
|
|
rewrite ^/img/view/(.+)/([0-9]+).*\.([A-Za-z0-9]+)$ "/$S3_BUCKET/images/$1/$2/full.$3" last;
|
|
}
|
|
|
|
location ~ ^/img/(.+)$ {
|
|
rewrite ^/img/(.+)$ "/$S3_BUCKET/images/$1" last;
|
|
}
|
|
|
|
location ~ ^/spns/(.+) {
|
|
rewrite ^/spns/(.+)$ "/$S3_BUCKET/adverts/$1" last;
|
|
}
|
|
|
|
location ~ ^/avatars/(.+) {
|
|
rewrite ^/avatars/(.+)$ "/$S3_BUCKET/avatars/$1" last;
|
|
}
|
|
|
|
# The following two location blocks use an -img suffix to avoid
|
|
# conflicting with the application routes. In production, this
|
|
# is not necessary since assets will be on a distinct domain.
|
|
|
|
location ~ ^/badge-img/(.+) {
|
|
rewrite ^/badge-img/(.+)$ "/$S3_BUCKET/badges/$1" last;
|
|
}
|
|
|
|
location ~ ^/tag-img/(.+) {
|
|
rewrite ^/tag-img/(.+)$ "/$S3_BUCKET/tags/$1" last;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri @proxy;
|
|
}
|
|
|
|
location @proxy {
|
|
proxy_pass http://philomena;
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header Host $host:$server_port;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_connect_timeout 90;
|
|
proxy_send_timeout 90;
|
|
proxy_read_timeout 90;
|
|
|
|
proxy_buffer_size 4k;
|
|
proxy_buffers 4 32k;
|
|
proxy_busy_buffers_size 64k;
|
|
proxy_temp_file_write_size 64k;
|
|
|
|
# Configuration for Phoenix WS
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|