forked from specify/web-asset-server
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
179 lines (157 loc) · 5.59 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
user nginx;
worker_processes 1;
error_log /dev/stderr;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
log_format main escape=json '{'
'"time_local":"$time_local",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request_id":"$request_id",'
'"request":"$request",'
'"status": "$status",'
'"body_bytes_sent":"$body_bytes_sent",'
'"request_time":"$request_time",'
'"upstream_response_time":"$upstream_response_time",'
'"upstream_connect_time":"$request_time",'
'"upstream_header_time":"$upstream_header_time",'
'"http_referer":"$http_referer",'
'"http_user_agent":"$http_user_agent",'
'"upstream_addr":"$upstream_addr",'
'"upstream_status":"$upstream_status",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';
access_log /dev/stdout main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 600s;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
resolver 127.0.0.11 ipv6=off valid=30s;
resolver_timeout 1s;
gzip on;
gzip_proxied off;
gzip_disable "msie6";
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
client_max_body_size 1000g;
client_body_buffer_size 16k;
proxy_read_timeout 600s;
proxy_connect_timeout 60s;
proxy_send_timeout 600s;
send_timeout 600s;
uwsgi_read_timeout 600s;
uwsgi_connect_timeout 600s;
uwsgi_send_timeout 600s;
# bot blocks
map $http_user_agent $is_bot {
default 0;
"~*(CCBot|Googlebot-Images|Sogou|SenutoBot|SiteScoreBot|Twitterbot|YisouSpider|IABot|Turnitin|
CFNetwork/.* Darwin|ClaudeBot|SemrushBot|Googlebot|Bingbot|Slurp|DuckDuckBot|Baiduspider|YandexBot|Sogou|Exabot|
facebot|facebookexternalhit|Bytespider|AppleBot|Swiftbot|Slurp Bot|CCBot|GoogleOther|Google-InspectionTool|
MJ12bot|Alexa crawler|Soso Spider|Pinterestbot|Dotbot|AhrefsBot|archive.org_bot|scrapy|PetalBot|
SemrushBot|Amazonbot|DataForSeoBot|crawl-66-249-66-200.googlebot.com|rdap.arin.net|meta-externalagent)" 1;
}
# Define variables for IP blocking
map $remote_addr $is_blocked_ip {
default 0;
47.76.0.0/16 1;
66.249.66.200 1;
52.224.0.0/11 1; #rdap arin bot
}
# Map directive to create exceptions for certain IP ranges
geo $limited {
default 1;
10.0.0.0/8 0; # 24-bit block
172.16.0.0/12 0; # 20-bit block
192.168.0.0/16 0; # 16-bit block
130.225.43.0/24 0; # gbif servers
206.207.50.146 0; # CCH2 server
}
# Map directive for CORS origins
map $http_referer $cors_header {
default "";
"https://www.cch2.org/" "https://www.cch2.org/";
"https://bryophyteportal.org/" "https://bryophyteportal.org/";
"https://lichenportal.org/" "https://lichenportal.org/";
"https://library.big-bee.net/" "https://library.big-bee.net/";
}
map "$cors_header:$limited" $final_limit {
":1" $binary_remote_addr;
":0" "";
default "";
}
# rate limit zone:
limit_req_zone $final_limit zone=image_zone:10m rate=6r/m;
# HTTP server block (port 80)
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
server {
listen 443 ssl;
server_name _;
uwsgi_buffer_size 128k;
uwsgi_buffers 4 256k;
uwsgi_busy_buffers_size 256k;
ssl_certificate /etc/ssl/certs/wildcard_calacademy_org.pem;
ssl_certificate_key /etc/ssl/private/wildcard_calacademy_org.key;
# setting blocking
if ($is_bot) {
set $block_request 1;
}
if ($is_blocked_ip) {
set $block_request 1;
}
location / {
# Add CORS headers dynamically based on the Origin
add_header 'Access-Control-Allow-Origin' $cors_header always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, Accept' always;
if ($block_request) {
return 403;
}
if ($request_method = OPTIONS) {
return 204;
}
limit_req zone=image_zone burst=2 nodelay;
try_files $uri @image-server;
}
location @image-server {
uwsgi_pass image-server:29000;
include /etc/nginx/uwsgi_params;
uwsgi_param Host $host;
uwsgi_param X-Real-IP $remote_addr;
uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
uwsgi_param X-Request-Id $request_id;
}
}
}