layerindex-web/docker/nginx-ssl.conf

#daemon off; ##Included in CMD
error_log /dev/stdout info;
worker_processes 1;

# user nobody nogroup;
pid /tmp/nginx.pid;

events {
    worker_connections 1024;
    accept_mutex off;
}

http {
    include mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout combined;
    sendfile on;
    client_max_body_size 16m;
    large_client_header_buffers 4 2k;

    limit_req_zone $binary_remote_addr zone=login_ip:10m rate=30r/m;
    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
    limit_conn conn_per_ip 100;

    upstream app_server {
        # For a TCP configuration:
        server layersapp:5000 fail_timeout=0;
    }

    server {
        listen 80 default;
        server_name _;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        return 301 https://layers.openembedded.org$request_uri;
    }

    server {
        listen 80;
        server_name layers.openembedded.org;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        location /.well-known/acme-challenge/ {
            root /var/www/certbot;
        }

        location /favicon.ico {
            return 301 http://layers.openembedded.org/static/img/favicon.ico;
        }

        location /admin {
            return 301 https://layers.openembedded.org$request_uri;
        }

        location /accounts/login {
            return 301 https://layers.openembedded.org$request_uri;
        }

        location / {
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;

            proxy_pass   http://app_server;
        }

    }

    server {
        listen              443 ssl default;
        server_name _;
        ssl_certificate     /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        return 301 https://layers.openembedded.org$request_uri;
    }

    server {
        listen              443 ssl;
        server_name         layers.openembedded.org;
        ssl_certificate     /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        keepalive_timeout 20;

        # path for static files
        root /usr/share/nginx/html;

        location /favicon.ico {
            return 301 https://layers.openembedded.org/static/img/favicon.ico;
        }

        location / {
            try_files $uri @proxy_to_app;
        }

        location /accounts/login {
            limit_req zone=login_ip burst=5;
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;

            proxy_pass   http://app_server;
        }
    }
}