user nginx;
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
# make location and rewrite case insensitive: https://serverfault.com/questions/498855/nginx-case-insensitive-rewrite
# host api at /shop while it thinks it is at /; add a rewrite rule: https://raymii.org/s/tutorials/NGINX_proxy_folder_to_different_root.html
server {
listen 80;
location ~* /shop {
rewrite (?i)^/shop(/.*)$ $1 break;
proxy_pass http://api:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
server {
listen 443 ssl http2;
ssl_certificate /etc/nginx/.aspnet/https/API.Shop.crt;
ssl_certificate_key /etc/nginx/.aspnet/https/API.Shop.rsa;
location ~* /shop {
rewrite (?i)^/shop(/.*)$ $1 break;
proxy_pass http://api:5000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
upstream dell-idrac {
server 10.20.30.40:443;
}
server {
#idrac webgui: https://dan.langille.org/2021/07/17/accessing-a-dell-idrac-7-via-nginx-reverse-proxy/
listen 443 http2 ssl;
server_name dell.joeplaa.com;
location / {
proxy_pass https://dell-idrac;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
}
# idrac peculiarities: https://www.reddit.com/r/homelab/comments/a0963b/anyone_reverse_proxy_idrac/
location /userpriv.jsesp {
add_header Content-Type application/javascript;
proxy_pass https://dell-idrac/userpriv.jsesp;
expires 1y;
add_header Cache-Control "public";
}
location /functions.jsesp {
add_header Content-Type application/javascript;
proxy_pass https://dell-idrac/functions.jsesp;
expires 1y;
add_header Cache-Control "public";
}
location /sysSummary.jsesp {
add_header Content-Type application/javascript;
proxy_pass https://dell-idrac/sysSummary.jsesp;
expires 1y;
add_header Cache-Control "public";
}
location /sensors.jsesp {
add_header Content-Type application/javascript;
proxy_pass https://dell-idrac/sensors.jsesp;
expires 1y;
add_header Cache-Control "public";
}
# logs
access_log /var/log/nginx/dell-joeplaa-com_access.log;
error_log /var/log/nginx/dell-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
#idrac vnc: https://dan.langille.org/2021/07/17/accessing-a-dell-idrac-7-via-nginx-reverse-proxy/
listen 5900 http2 ssl;
server_name dell.joeplaa.com;
location / {
proxy_pass https://10.20.30.40:5900;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass_request_headers on;
proxy_set_header Connection "keep-alive";
proxy_store off;
}
# logs
access_log /var/log/nginx/dell-joeplaa-com_access.log;
error_log /var/log/nginx/dell-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = dell.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name dell.joeplaa.com;
listen 80;
return 404;
}
upstream switch {
server 10.20.30.1:80;
}
server {
listen 443 http2 ssl;
server_name switch.joeplaa.com;
proxy_redirect off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://switch;
}
# logs
access_log /var/log/nginx/switch-joeplaa-com_access.log;
error_log /var/log/nginx/switch-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = switch.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name switch.joeplaa.com;
listen 80;
return 404;
}
upstream hp-ilo {
server 10.20.30.40:443;
}
server {
listen 443 http2 ssl;
server_name hp.joeplaa.com;
proxy_redirect off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://hp-ilo;
}
# logs
access_log /var/log/nginx/hp-joeplaa-com_access.log;
error_log /var/log/nginx/hp-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = hp.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name hp.joeplaa.com;
listen 80;
return 404;
}
upstream pfsense {
server 10.20.30.1:45454;
}
server {
listen 443 http2 ssl;
server_name pfsense.joeplaa.com;
proxy_redirect off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_pass https://pfsense;
}
# logs
access_log /var/log/nginx/pfsense-joeplaa-com_access.log;
error_log /var/log/nginx/pfsense-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = pfsense.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name pfsense.joeplaa.com;
listen 80;
return 404;
}
upstream proxmox {
server 10.33.60.100:8006;
server 10.33.60.101:8006;
# Keep the connection sticky (otherwise the noVNC console redirection will only work randomly).
ip_hash;
keepalive 1;
}
server {
# allow access from own IP only
allow <public IP address>;
# allow access from (v)lan only; use with an internal DNS resolver
allow 10.33.10.0/24;
allow 10.33.20.0/24;
allow 10.33.60.0/24;
deny all;
server_name proxmox.joeplaa.com;
proxy_redirect off;
location / {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_buffering off;
client_max_body_size 0;
proxy_connect_timeout 3600s;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
send_timeout 3600s;
proxy_pass https://proxmox;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
access_log /var/log/nginx/proxmox-joeplaa-com_access.log;
error_log /var/log/nginx/proxmox-joeplaa-com_error.log;
# Caching breaks the site! Do not enable it (Joep 14-01-2021)!
# include snippets/static-files.conf;
listen 443 http2 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/proxmox.joeplaa.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/proxmox.joeplaa.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = proxmox.joeplaa.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name proxmox.joeplaa.com;
listen 80;
return 404; # managed by Certbot
}
upstream server {
server 10.33.30.21:8081;
}
server {
# allow access from own IP only
allow <public IP address>;
# allow access from (v)lan only; use with an internal DNS resolver
allow 10.33.20.0/24;
allow 10.33.30.0/24;
allow 10.33.50.0/24;
deny all;
server_name sonatype.jodibooks.com;
# Docker /v2 requests
# /jodibooks for private repository, all others for group/proxy
location /v2/jodibooks {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server/repository/docker-jodibooks/v2/jodibooks;
}
location /v2 {
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto "https";
proxy_pass http://server/repository/docker-group/v2;
}
# Regular Nexus requests
location / {
proxy_pass http://server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
proxy_send_timeout 120;
proxy_read_timeout 300;
proxy_buffering off;
proxy_request_buffering off;
keepalive_timeout 5 5;
# tcp_nodelay on; set in general settings (http snippet)
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
access_log /var/log/nginx/sonatype-jodibooks-com_access.log;
error_log /var/log/nginx/sonatype-jodibooks-com_error.log;
# allow large uploads of files
client_max_body_size 10G;
# optimize downloading files larger than 1G
proxy_max_temp_file_size 2048m;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/sonatype.jodibooks.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/sonatype.jodibooks.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = sonatype.jodibooks.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name sonatype.jodibooks.com;
listen 80;
return 404; # managed by Certbot
}
Reverse proxy config for TeamCity builds (build.jodibooks.com):
server {
listen 443 ssl http2;
server_name builds.jodibooks.com;
# Reverse proxy
proxy_max_temp_file_size 0; # this prevents "net::ERR_HTTP2_PROTOCOL_ERROR", see https://stackoverflow.com/a/61970633
location / {
proxy_pass http://10.33.30.22:8111; # full internal address
proxy_http_version 1.1;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-Host $http_host; # necessary for proper absolute redirects and TeamCity CSRF check
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
# Logging
access_log /var/log/nginx/builds-jodibooks-com_access.log;
error_log /var/log/nginx/builds-jodibooks-com_error.log;
# Caching breaks the site! Do not enable it (Joep 14-01-2021)!
# include snippets/static-files.conf;
# SSL
ssl_certificate /etc/letsencrypt/live/builds.jodibooks.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/builds.jodibooks.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = builds.jodibooks.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name builds.jodibooks.com;
listen 80;
return 404; # managed by Certbot
}
Reverse proxy config for TeamCity server (teamcity.jodibooks.com):
server {
listen 443 ssl http2;
server_name teamcity.jodibooks.com;
# Reverse proxy
proxy_max_temp_file_size 0; # this prevents "net::ERR_HTTP2_PROTOCOL_ERROR", see https://stackoverflow.com/a/61970633
location / {
proxy_pass http://10.33.30.22:8111; # full internal address
proxy_http_version 1.1;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-Host $http_host; # necessary for proper absolute redirects and TeamCity CSRF check
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
# Logging
access_log /var/log/nginx/teamcity-jodibooks-com_access.log;
error_log /var/log/nginx/teamcity-jodibooks-com_error.log;
# Caching breaks the site! Do not enable it (Joep 14-01-2021)!
# include snippets/static-files.conf;
# SSL
ssl_certificate /etc/letsencrypt/live/teamcity.jodibooks.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/teamcity.jodibooks.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = teamcity.jodibooks.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name teamcity.jodibooks.com;
listen 80;
return 404; # managed by Certbot
}
upstream switch {
server 10.20.30.1:80;
}
server {
listen 443 http2 ssl;
server_name switch.joeplaa.com;
proxy_redirect off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://switch;
}
# logs
access_log /var/log/nginx/switch-joeplaa-com_access.log;
error_log /var/log/nginx/switch-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = switch.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name switch.joeplaa.com;
listen 80;
return 404;
}
upstream truenas {
server 10.20.30.40:443;
}
server {
listen 443 http2 ssl;
server_name truenas.joeplaa.com;
ssl_verify_client off;
proxy_redirect off;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_pass https://truenas;
}
# logs
access_log /var/log/nginx/truenas-joeplaa-com_access.log;
error_log /var/log/nginx/truenas-joeplaa-com_error.log;
# ssl
ssl_certificate /home/joeplaa/cert/joeplaa.com.fullchain;
ssl_certificate_key /home/joeplaa/cert/joeplaa.com.all.pem;
}
server {
if ($host = truenas.joeplaa.com) {
return 301 https://$host$request_uri;
}
server_name truenas.joeplaa.com;
listen 80;
return 404;
}
server {
server_name umami.jodibooks.com;
location / {
proxy_pass http://10.33.30.20:3000;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
}
access_log /var/log/nginx/umami-jodibooks-com_access.log;
error_log /var/log/nginx/umami-jodibooks-com_error.log;
# Caching breaks the site! Do not enable it (Joep 14-01-2021)!
# include snippets/static-files.conf;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/umami.jodibooks.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/umami.jodibooks.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = umami.jodibooks.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name umami.jodibooks.com;
listen 80;
return 404; # managed by Certbot
}
upstream wiki-backend {
server 10.33.50.21:3000;
}
server {
listen 443 ssl http2;
server_name wiki.joeplaa.com;
# SSL
ssl_certificate /etc/letsencrypt/live/wiki.joeplaa.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/wiki.joeplaa.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# reverse proxy
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://wiki-backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_next_upstream error timeout http_502 http_503 http_504;
}
# logging
access_log /var/log/nginx/wiki-joeplaa-com_access.log;
error_log /var/log/nginx/wiki-joeplaa-com_error.log;
# Caching breaks the site! Do not enable it (Joep 14-01-2021)!
# include snippets/static-files.conf;
}
server {
if ($host = wiki.joeplaa.com) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name wiki.joeplaa.com;
listen 80;
return 404; # managed by Certbot
}
upstream backend_demosalon_wp {
server 10.110.199.63:90;
}
server {
server_name demosalon.nl www.demosalon.nl;
listen 443 ssl http2 proxy_protocol; # use proxy_protocol when using LXD's to run Nginx proxy container + WordPress container
# block all addresses except our own for login screen
location ~ ^/(wp-admin|wp-login\.php) {
allow 80.100.141.149;
deny all;
proxy_pass http://backend_demosalon_wp;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# proxy
location / {
proxy_pass http://backend_demosalon_wp;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection $connection_upgrade; # WebSocket support
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header Proxy "";
}
real_ip_header proxy_protocol;
set_real_ip_from 127.0.0.1;
# logging
access_log /var/log/nginx/demosalon-nl_access.log;
error_log /var/log/nginx/demosalon-nl_error.log;
# Exclusions
include snippets/exclusions.conf;
# Security
include snippets/security.conf;
include snippets/limits.conf;
# ssl
ssl_certificate /etc/letsencrypt/live/demosalon.nl/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/demosalon.nl/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.demosalon.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = demosalon.nl) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name demosalon.nl www.demosalon.nl;
listen 80;
return 404; # managed by Certbot
}
Sources:
https://www.ryadel.com/en/nginx-reverse-proxy-cache-centos-7-linux/
# ---------------------------------------------------------------------
# NGINX - Basic-Proxy configuration (no cache)
# ---------------------------------------------------------------------
# Created by Ryadel on 2017.12.09
# www.ryadel.com
# ---------------------------------------------------------------------
user apache;
worker_processes 2;
working_directory /var/www;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
upstream origin {
# if the upstream is installed in this machine (for example, an Apache Server)
# map this to localhost or to an "origin" hostname pointing to 127.0.0.1 in the /etc/hosts file
server origin.example.com:82;
}
server {
listen 80 default_server;
server_name www.example.com;
location / {
proxy_pass http://origin;
proxy_http_version 1.1;
proxy_set_header Connection "";
add_header X-Handled-By $proxy_host;
}
}
}
# ---------------------------------------------------------------------
# NGINX - Proxy-Cache configuration
# ---------------------------------------------------------------------
# Created by Ryadel on 2017.12.09
# www.ryadel.com
# ---------------------------------------------------------------------
user apache;
worker_processes 2;
working_directory /var/www;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
proxy_buffering on;
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=edge-cache:10m inactive=20m max_size=1g;
proxy_temp_path /var/cache/nginx/tmp;
proxy_cache_lock on;
proxy_cache_use_stale updating;
proxy_bind 0.0.0.0;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;
upstream origin {
# if the upstream is installed in this machine (for example, an Apache Server)
# map this to localhost or to an "origin" hostname pointing to 127.0.0.1 in the /etc/hosts file
server origin.example.com:82; # mapped to 127.0.0.1
server external-1
```example.com:80; # remote IP address
server external-2.example.com:80; # remote IP address
}
server {
listen 80 default_server;
server_name www.yourwebsite.com;
location / {
proxy_pass http://origin;
proxy_cache edge-cache;
proxy_http_version 1.1;
proxy_set_header Connection "";
add_header X-Cache-Status $upstream_cache_status;
add_header X-Handled-By $proxy_host;
}
}
}
Sources:
https://www.ryadel.com/en/nginx-reverse-proxy-cache-wordpress-apache-iis/
# ---------------------------------------------------------------------
# REVERSE PROXY CONFIGURATION for Wordpress, v1.0/2018
# https://www.ryadel.com
# ---------------------------------------------------------------------
#Enables or disables buffering of responses from the proxied server.
proxy_buffering on;
#prevent header too large errors
proxy_buffers 256 16k;
proxy_buffer_size 32k;
#set the location of the cached files, zone, name, size (1000 MB) and how long to cache for (600 minutes)
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=edge-cache:10m inactive=600m max_size=1g;
proxy_temp_path /var/cache/nginx/tmp;
proxy_cache_key $scheme$host$request_uri;
# When enabled, only one request at a time will be allowed to populate
# a new cache element identified according to the proxy_cache_key directive
# by passing a request to a proxied server.
# Other requests of the same cache element will either wait for a response to appear in the cache
# or the cache lock for this element to be released, up to the time set by the proxy_cache_lock_timeout directive.
proxy_cache_lock on;
# proxy_cache_revalidate instructs NGINX to use conditional GET requests when refreshing content from the origin servers.
# If a client requests an item that is cached but expired as defined by the cache control headers, NGINX includes the
# If-Modified-Since field in the header of the GET request it sends to the origin server.
# This saves on bandwidth, because the server sends the full item only if it has been modified since the time recorded
# in the Last-Modified header attached to the file when NGINX originally cached it.
proxy_cache_revalidate on;
#proxy_cache_min_uses sets the number of times an item must be requested by clients before NGINX caches it.
# This is useful if the cache is constantly filling up, as it ensures that only the most frequently accessed items
# are added to the cache. By default proxy_cache_min_uses is set to 1.
proxy_cache_min_uses 3;
#The updating parameter to the proxy_cache_use_stale directive, combined with enabling the
# proxy_cache_background_update directive, instructs NGINX to deliver stale content when clients request an item
# that is expired or is in the process of being updated from the origin server. All updates will be done in the background.
# The stale file is returned for all requests until the updated file is fully downloaded.
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
proxy_cache_background_update on;
#fix 504 gateway timeouts, can go in nginx.conf
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;
# Sets caching time for different response codes
proxy_cache_valid 200 302 10m;
proxy_cache_valid 301 1h;
proxy_cache_valid any 1m;
# Sets the HTTP protocol version for proxying (default is 1.0).
# Version 1.1 is recommended for use with keepalive connections and NTLM authentication.
proxy_http_version 1.1;
# Determines whether SSL sessions can be reused when working with the proxied server (default is on).
# If the errors “SSL3_GET_FINISHED:digest check failed” appear in the logs, try turning it off.
# proxy_ssl_session_reuse on;
# ---------------------------------------------------------------------
# REVERSE PROXY CONFIGURATION - END
# ---------------------------------------------------------------------