|
# round robin load balance pool |
|
# servers can be local or remote |
|
upstream lbpool { |
|
ip_hash; |
|
server 10.10.10.1:8000 max_fails=3 fail_timeout=120; |
|
server 10.10.10.2:8000 max_fails=3 fail_timeout=120; |
|
# additional servers |
|
} |
|
|
|
# http server |
|
server { |
|
listen 80; |
|
server_name example.com; |
|
|
|
access_log /var/log/nginx/example.com.80.access.log main; |
|
error_log /var/log/nginx/example.com.80.error.log; |
|
|
|
# proxy requests to the pool |
|
# ensure ips are passed correctly |
|
location / { |
|
proxy_pass http://lbpool; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $remote_addr; |
|
port_in_redirect off; |
|
} |
|
} |
|
|
|
# https server |
|
# terminates SSL before passing the request to the proxy |
|
server { |
|
listen 443 ssl; |
|
server_name example.com; |
|
|
|
access_log /var/log/nginx/example.com.443.access.log main; |
|
error_log /var/log/nginx/example.com.443.error.log; |
|
|
|
ssl_certificate /etc/nginx/ssl/example.com.crt; # or .pem |
|
ssl_certificate_key /etc/nginx/ssl/example.com.key; |
|
|
|
ssl_session_cache shared:SSL:1m; |
|
ssl_session_timeout 5m; |
|
|
|
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ |
|
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; |
|
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; |
|
ssl_prefer_server_ciphers on; |
|
|
|
# proxy requests to the pool |
|
# ensure ips are passed correctly |
|
location / { |
|
proxy_pass http://lbpool; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Real-IP $remote_addr; |
|
proxy_set_header X-Forwarded-For $remote_addr; |
|
port_in_redirect off; |
|
} |
|
} |
|
|
|
# upstream php server |
|
server { |
|
listen 8000; |
|
server_name example.com; |
|
root /home/webapps/example.com; |
|
|
|
access_log /var/log/nginx/example.com.8000.access.log main; |
|
error_log /var/log/nginx/example.com.8000.error.log; |
|
|
|
location / { |
|
index index.php; |
|
# pass php requests to the front controller (http://wiki.nginx.org/Pitfalls#Front_Controller_Pattern_based_packages) |
|
# but don't proxy everything (http://wiki.nginx.org/Pitfalls#Proxy_Everything) |
|
try_files $uri $uri/ /index.php; |
|
} |
|
|
|
location ~ \.php$ { |
|
try_files $uri =404; |
|
fastcgi_pass unix:/var/run/php5-fpm.sock; |
|
fastcgi_index index.php; |
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; |
|
include fastcgi_params; |
|
} |
|
|
|
# deny access to .htaccess files, |
|
# git & svn repositories, etc |
|
location ~ /\.(?:ht|git|svn) { |
|
deny all; |
|
} |
|
|
|
# redirect server error pages to the static page /50x.html |
|
error_page 500 502 503 504 /50x.html; |
|
location = /50x.html { |
|
root /usr/share/nginx/html; |
|
} |
|
|
|
# caching |
|
location ~* \.(pdf|css|js|png|gif|jpg|jpeg|ico|swf|mov|doc|pdf|xls|ppt|docx|pptx|xlsx)$ { |
|
expires max; |
|
log_not_found off; |
|
access_log off; |
|
} |
|
} |