Setup of Nginx for pkg.omniosce.org

worker_processes 8; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; keepalive_requests 10000; types_hash_max_size 2048; server_tokens off; client_max_body_size 200M; proxy_http_version 1.1; ## # SSL Settings ## # turn on for debuging #error_log /var/opt/ooce/nginx/log/error.log debug; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS:!DES-CBC3-SHA'; ssl_dhparam /etc/ssl/private/dhparam.pem; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; server { listen 80 ; listen [::]:80 ; server_name _; location ^~ /.well-known { allow all; alias /var/www/html/.well-known; } location / { return 301 https://$host$request_uri; } } server { listen 443 ssl; server_name pkg.omniosce.org; ssl_certificate /etc/ssl/certs/acme-omniosce.org.pem; ssl_certificate_key /etc/ssl/private/acme-omniosce.org.key; ssl_client_certificate /archive/downloads/ssl/omniosce-ca.cert.pem; ssl_verify_client optional; # check if requested operation is authorised... set $authorised "false"; if ($request_method ~ ^(?:GET|HEAD)$) { set $authorised "true"; } if ($request_uri ~ ^/[^/]+/[^/]+/(?:open|abandon|add|close)/) { set $authorised "false"; } if ($request_uri ~ ^/[^/]+/[^/]+/[^/]+/(?:admin)/) { set $authorised "false"; } if ($ssl_client_verify = "SUCCESS") { set $authorised "true"; } if ($authorised != "true") { return 403; } # global proxy settings proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_buffering off; location /r151022/core { root /pkg/r151022/core; # serve files from local filesystem instead through pkg/server... location ~ ^/r151022/core/file/0/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } location ~ ^/r151022/core/omnios/file/1/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } # don't remove the first rewrite as it will rewrite uri w/ the non decoded version! rewrite ^ $request_uri; rewrite ^/r151022/core/?(.*) /$1 break; proxy_pass http://127.0.0.1:10022/$uri; } location /r151022/staging { root /pkg/r151022/staging; # serve files from local filesystem instead through pkg/server... location ~ ^/r151022/staging/file/0/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } location ~ ^/r151022/staging/omnios/file/1/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } # don't remove the first rewrite as it will rewrite uri w/ the non decoded version! rewrite ^ $request_uri; rewrite ^/r151022/staging/?(.*) /$1 break; proxy_pass http://127.0.0.1:10122/$uri; } location /r151022/extra { root /pkg/r151022/extra; # serve files from local filesystem instead through pkg/server... location ~ ^/r151022/extra/file/0/(..)(.*)$ { try_files /publisher/extra.omnios/file/$1/$1$2 =404; } location ~ ^/r151022/extra/omnios/file/1/(..)(.*)$ { try_files /publisher/extra.omnios/file/$1/$1$2 =404; } # don't remove the first rewrite as it will rewrite uri w/ the non decoded version! rewrite ^ $request_uri; rewrite ^/r151022/extra/?(.*) /$1 break; proxy_pass http://127.0.0.1:10222/$uri; } location /bloody/core { root /pkg/bloody/core; # serve files from local filesystem instead through pkg/server... location ~ ^/bloody/core/file/0/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } location ~ ^/bloody/core/omnios/file/1/(..)(.*)$ { try_files /publisher/omnios/file/$1/$1$2 =404; } # don't remove the first rewrite as it will rewrite uri w/ the non decoded version! rewrite ^ $request_uri; rewrite ^/bloody/core/?(.*) /$1 break; proxy_pass http://127.0.0.1:10099/$uri; } location /bloody/extra { root /pkg/bloody/extra; # serve files from local filesystem instead through pkg/server... location ~ ^/bloody/extra/file/0/(..)(.*)$ { try_files /publisher/extra.omnios/file/$1/$1$2 =404; } location ~ ^/bloody/extra/omnios/file/1/(..)(.*)$ { try_files /publisher/extra.omnios/file/$1/$1$2 =404; } # don't remove the first rewrite as it will rewrite uri w/ the non decoded version! rewrite ^ $request_uri; rewrite ^/bloody/extra/?(.*) /$1 break; proxy_pass http://127.0.0.1:10299/$uri; } location /r151022 { return 301 https://$host/r151022/core/; } location /bloody { return 301 https://$host/bloody/core/; } location / { return 404; } } server { listen 443 ssl; server_name mirrors.omniosce.org; ssl_certificate /etc/ssl/certs/acme-omniosce.org.pem; ssl_certificate_key /etc/ssl/private/acme-omniosce.org.key; location / { root /archive/mirrors; autoindex on; } } server { listen 443 ssl; server_name downloads.omniosce.org; ssl_certificate /etc/ssl/certs/acme-omniosce.org.pem; ssl_certificate_key /etc/ssl/private/acme-omniosce.org.key; location / { root /archive/downloads; autoindex on; } } server { listen 443 ssl; server_name crl.omniosce.org; ssl_certificate /etc/ssl/certs/acme-omniosce.org.pem; ssl_certificate_key /etc/ssl/private/acme-omniosce.org.key; location / { root /crl; } } }