-
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
82 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
# définition d'une liste d'upstream (priorité au début) | ||
log_format combined_upstream '$remote_addr - $remote_user [$time_local] ' | ||
'"$request" $status $body_bytes_sent ' | ||
'"$http_referer" "$http_user_agent" c=$upstream_cache_status u=$upstream_addr t=$request_time'; | ||
|
||
upstream openfoodfacts { | ||
server 10.0.0.3:443 weight=100; | ||
server off1.openfoodfacts.org:443; | ||
|
||
keepalive 16; | ||
} | ||
|
||
proxy_cache_path | ||
/dev/shm/off-static | ||
keys_zone=off-static:10m | ||
levels=1:2 | ||
inactive=24h | ||
max_size=4G; | ||
|
||
# https://static.openfoodfacts.org | ||
server { | ||
listen 443 ssl http2; | ||
listen [::]:443 ssl http2; | ||
server_name static.openfoodfacts.org images.openfoodfacts.org; | ||
|
||
access_log /rpool/logs-nginx/static-access.log combined_upstream buffer=256K flush=1s; | ||
|
||
ssl_certificate /etc/letsencrypt/live/images.openfoodfacts.org/fullchain.pem; # managed by Certbot | ||
ssl_certificate_key /etc/letsencrypt/live/images.openfoodfacts.org/privkey.pem; # managed by Certbot | ||
ssl_trusted_certificate /etc/nginx/acme.sh/live/openfoodfacts.org/ca.pem; | ||
|
||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; | ||
ssl_prefer_server_ciphers on; | ||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | ||
ssl_ecdh_curve secp384r1; | ||
#ssl_session_cache shared:SSL:10m; | ||
ssl_session_tickets off; | ||
ssl_stapling on; | ||
ssl_stapling_verify on; | ||
resolver 9.9.9.9 8.8.8.8 valid=300s; | ||
resolver_timeout 5s; | ||
|
||
root /rpool/off/ ; | ||
|
||
|
||
if ($http_referer ~* (jobothoniel.com) ) { | ||
return 403; | ||
} | ||
|
||
location / { | ||
# test en local, puis sur off1 | ||
try_files $uri @off1; | ||
sendfile on; | ||
sendfile_max_chunk 1m; | ||
tcp_nopush on; | ||
|
||
add_header Link "<http://creativecommons.org/licenses/by-sa/3.0/>; rel='license'; title='CC-BY-SA 3.0'"; | ||
add_header Access-Control-Allow-Origin *; | ||
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS'; | ||
add_header Access-Control-Allow-Headers 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,If-None-Match'; | ||
add_header Access-Control-Expose-Headers 'Content-Length,Content-Range'; | ||
} | ||
|
||
location @off1 { | ||
proxy_pass https://off1.openfoodfacts.org; | ||
# proxy_next_upstream error http_404; | ||
proxy_http_version 1.1; | ||
proxy_set_header Connection ""; | ||
|
||
proxy_cache off-static; | ||
proxy_cache_valid 200 1d; | ||
proxy_cache_key $request_uri; | ||
add_header X-Cache-Status $upstream_cache_status; | ||
add_header X-From $upstream_addr; | ||
|
||
proxy_set_header Host cache.openfoodfacts.org; | ||
|
||
# évite un double accès disque pour le cache | ||
proxy_temp_path off; | ||
} | ||
|
||
} |