forked from cloud-gov/pages-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
140 lines (115 loc) · 3.97 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
worker_processes 1;
daemon off;
events { worker_connections 1024; }
http {
charset utf-8;
log_format cloudfoundry '$http_user_agent - $host "$request" $status $body_bytes_sent';
access_log /dev/stdout cloudfoundry;
include mime.types;
default_type application/octet-stream;
sendfile on;
gzip on;
gzip_vary on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gunzip on;
gzip_static always;
gzip_types text/plain text/css text/js text/xml
text/javascript application/javascript application/x-javascript
application/json application/xml application/xml+rss
font/ttf font/otf font/x-woff image/svg+xml
application/vnd.ms-fontobject
application/ttf application/x-ttf application/otf
application/x-otf application/truetype application/eot
application/opentype application/x-opentype application/woff
application/font application/font-woff woff application/font-sfnt;
tcp_nopush on;
keepalive_timeout 30;
port_in_redirect off; # Ensure that redirects don't include the internal container PORT - {{port}}
server_tokens off;
more_clear_headers Server;
recursive_error_pages on;
# Cloudfront forwards these but doesn't consider them part of the cache key
# so drop them before passing to the origin, since responses aren't actually cacheable
proxy_set_header If-Match "";
proxy_set_header If-None-Match "";
proxy_set_header If-Modified-Since "";
proxy_set_header If-Unmodified-Since "";
proxy_set_header Range "";
proxy_set_header If-Range "";
proxy_set_header x-amz-expected-bucket-owner "";
proxy_set_header x-amz-security-token "";
map_hash_max_size 64;
map_hash_bucket_size 256;
map $name $sts {
default "max-age=31536000; preload";
~^({{env "INCLUDE_SUBDOMAINS"}})$ "max-age=31536000; preload; includeSubDomains";
}
map $name $bucket_url {
default {{env "DEDICATED_S3_BUCKET_URL"}};
}
map $http_user_agent $prefix_path {
default $full_path;
"Amazon Cloudfront" $rest;
}
map $http_user_agent $robot_header {
default "none";
"Amazon Cloudfront" "all";
}
server {
listen {{port}};
server_name ~^(?<name>.+)\.{{env "DOMAIN"}}$;
resolver {{env "DNS_RESOLVER"}} valid=60s;
add_header Strict-Transport-Security $sts always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Server "Cloud.gov Pages" always;
add_header X-Robots-Tag $robot_header always;
add_header Access-Control-Allow-Methods "GET, HEAD" always;
if ($request_method !~ ^(GET|HEAD)$) {
return 405;
}
if ($request_uri ~ "^/((site|preview|demo))/(([^/]+))/(([^/]+))(?<remaining>(.*))$" ) {
set $remaining_path $remaining;
}
include redirects.conf;
location =/health {
access_log off;
return 200 "Ok";
}
location ~ ^/(?<context>(site|preview|demo))/(?<owner>([^/]+))/(?<repo>([^/]+))(?<rest>(.*))$ {
# Match paths ending in '/'
location ~ /$ {
rewrite ^(.*)$ $1index.html last;
}
# Match paths with extensions and possibly query parameters
location ~ ^/[^/]+/[^/]+/[^/]+/[^?]*\.[^./]+(\?.*)?$ {
proxy_pass $bucket_url;
proxy_intercept_errors on;
error_page 404 403 =404 @notfound;
}
# Match paths with backslashes at site root or after
location ~ ^/[^/]+/[^/]+/[^/]+/.*[\\\]+ {
rewrite ^(.*)$ @notfound;
}
# Match paths with encoded backslashes at site root or after
location ~ ^/[^/]+/[^/]+/[^/]+/.*%5C.* {
rewrite ^(.*)$ @notfound;
}
location ~ ^/[^/]+/[^/]+/[^/]+/.*%255C.* {
rewrite ^(.*)$ @notfound;
}
# What is left are paths without extensions
location ~ ^/ {
absolute_redirect off;
rewrite ^(?<full_path>(.*))$ $prefix_path/ permanent;
}
}
location @notfound {
# custom 404 pages are *bucket* specific NOT *branch* specific
proxy_pass $bucket_url/site/$owner/$repo/404.html;
}
}
}