Mirror
/
tildes
mirror of https://gitlab.com/tildes/tildes.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
983 Commits
1 Branch
0 Tags
3.3 MiB
Tree: ff5a3d82cb
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'ff5a3d82cb'
${ noResults }
tildes/ansible/roles/nginx/templates/nginx.conf.jinja2

92 lines
2.4 KiB
Raw Normal View History

Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
nginx: add rate-limit for requests to Pyramid This won't affect requests for static files or anything except ones that get proxied to the app. The current configuration is based on IP, and allows a rate of 4/sec, with an additional burst of 5 above the limit permitted, and burst requests allowed to go through immediately (nodelay). For more info: https://www.nginx.com/blog/rate-limiting-nginx/
6 years ago
Initial open-source release
6 years ago
Switch to Debian 10 and Ansible This changes the site to run on Debian 10 instead of Ubuntu 16.04. It also fully converts the previous Salt setup to use Ansible instead. Most of this was a relatively straightforward conversion, and it should be very close to equivalent. One notable difference is that I removed the setup for the "monitoring" server, since I wasn't confident that the way of setting up self-hosted Sentry and Grafana was working any more. I'll look to re-add that at some point, but it's not urgent.
3 years ago
Initial open-source release
6 years ago
  1. user nginx;
  2. worker_processes {{ nginx_worker_processes }};
  4. error_log /var/log/nginx/error.log warn;
  5. pid /var/run/nginx.pid;
  8. events {
  9. worker_connections 1024;
  10. }
  13. http {
  14. include /etc/nginx/mime.types;
  15. default_type application/octet-stream;
  17. server_tokens off;
  19. log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  20. '$status $body_bytes_sent "$http_referer" '
  21. '"$http_user_agent" "$http_x_forwarded_for"';
  23. access_log /var/log/nginx/access.log main;
  25. {% if nginx_enable_sendfile %}
  26. sendfile on;
  27. {% else %}
  28. sendfile off;
  29. {% endif %}
  31. # define a rate-limiting zone to use, and return HTTP 429 if exceeded
  32. limit_req_zone $binary_remote_addr zone=tildes_app:10m rate=4r/s;
  33. limit_req_status 429;
  35. keepalive_timeout 65;
  37. # redirect non-https accesses to the https version
  38. server {
  39. listen 80 default_server;
  40. listen [::]:80 default_server;
  41. server_name _;
  43. return 301 https://$host$request_uri;
  44. }
  46. gzip on;
  47. gzip_min_length 1000;
  48. gzip_comp_level 6;
  49. gzip_vary on;
  50. gzip_proxied any;
  52. # type list from https://github.com/h5bp/server-configs-nginx
  53. gzip_types
  54. application/atom+xml
  55. application/javascript
  56. application/json
  57. application/ld+json
  58. application/manifest+json
  59. application/rss+xml
  60. application/vnd.geo+json
  61. application/vnd.ms-fontobject
  62. application/x-font-ttf
  63. application/x-web-app-manifest+json
  64. application/xhtml+xml
  65. application/xml
  66. font/opentype
  67. image/bmp
  68. image/svg+xml
  69. image/x-icon
  70. text/cache-manifest
  71. text/css
  72. text/plain
  73. text/vcard
  74. text/vnd.rim.location.xloc
  75. text/vtt
  76. text/x-component
  77. text/x-cross-domain-policy;
  79. ssl_certificate {{ ssl_cert_path }};
  80. ssl_certificate_key {{ ssl_private_key_path }};
  81. ssl_session_timeout 1d;
  82. ssl_session_cache shared:SSL:50m;
  83. ssl_session_tickets off;
  85. # "modern" configuration from Mozilla guidelines
  86. ssl_protocols TLSv1.2;
  87. ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
  88. ssl_prefer_server_ciphers on;
  90. include /etc/nginx/sites-enabled/*.conf;
  91. }