#daemon off; ##Included in CMD error_log /dev/stdout info; worker_processes 1; # user nobody nogroup; pid /tmp/nginx.pid; events { worker_connections 1024; accept_mutex off; } http { include mime.types; default_type application/octet-stream; access_log /dev/stdout combined; sendfile on; client_max_body_size 16m; large_client_header_buffers 4 2k; limit_req_zone $binary_remote_addr zone=login_ip:10m rate=30r/m; limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m; limit_conn conn_per_ip 100; upstream app_server { # For a TCP configuration: server layersapp:5000 fail_timeout=0; } server { listen 80 default; server_name _; keepalive_timeout 5; # path for static files root /usr/share/nginx/html; return 301 https://layers.openembedded.org$request_uri; } server { listen 80; server_name layers.openembedded.org; keepalive_timeout 5; # path for static files root /usr/share/nginx/html; location /.well-known/acme-challenge/ { root /var/www/certbot; } location /favicon.ico { return 301 http://layers.openembedded.org/static/img/favicon.ico; } location /admin { return 301 https://layers.openembedded.org$request_uri; } location /accounts/login { return 301 https://layers.openembedded.org$request_uri; } location / { try_files $uri @proxy_to_app; } location @proxy_to_app { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_server; } } server { listen 443 ssl default; server_name _; ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL; ssl_ecdh_curve prime256v1; ssl_session_cache shared:SSL:12m; ssl_session_timeout 12m; gzip off; keepalive_timeout 5; # path for static files root /usr/share/nginx/html; return 301 https://layers.openembedded.org$request_uri; } server { listen 443 ssl; server_name layers.openembedded.org; ssl_certificate /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-CCM:AES128-CCM:AES128-SHA256:AES256-CCM:AES256-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-CCM:DHE-RSA-AES256-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:!aNULL:!eNULL; ssl_ecdh_curve prime256v1; ssl_session_cache shared:SSL:12m; ssl_session_timeout 12m; gzip off; keepalive_timeout 20; # path for static files root /usr/share/nginx/html; location /favicon.ico { return 301 https://layers.openembedded.org/static/img/favicon.ico; } location / { try_files $uri @proxy_to_app; } location /accounts/login { limit_req zone=login_ip burst=5; try_files $uri @proxy_to_app; } location @proxy_to_app { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http://app_server; } } }