02/02: hydra: Add nginx.conf for hydra.gnu.org.

[Ludovic Courtès]

civodul pushed a commit to branch master
in repository maintenance.

commit 6194eec1aee32c9b37cdc26ef012355152f43e0c
Author: Ludovic Courtès <address@hidden>
Date:   Tue Mar 1 09:46:25 2016 +0100

    hydra: Add nginx.conf for hydra.gnu.org.
---
 hydra/nginx/hydra.gnu.org.conf |  208 ++++++++++++++++++++++++++++++++++++++++
 1 files changed, 208 insertions(+), 0 deletions(-)

diff --git a/hydra/nginx/hydra.gnu.org.conf b/hydra/nginx/hydra.gnu.org.conf
new file mode 100644
index 0000000..8ff52c4
--- /dev/null
+++ b/hydra/nginx/hydra.gnu.org.conf
@@ -0,0 +1,208 @@
+# This is the /etc/nginx/nginx.conf for hydra.gnu.org.
+
+user www-data;
+worker_processes  1;
+
+error_log  /var/log/nginx/error.log error;
+pid        /var/run/nginx.pid;
+
+lock_file  /var/lock/nginx.lock;
+
+pcre_jit   on;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    client_body_temp_path /var/lib/nginx/body;
+    proxy_temp_path       /var/lib/nginx/proxy;
+
+    access_log /var/log/nginx/access.log;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    # Maximum chunk size to send.  Partly this is a workaround
+    # for <http://bugs.gnu.org/19939>, but also the nginx docs
+    # mention that "Without the limit, one fast connection may
+    # seize the worker process entirely."
+    # <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
+    sendfile_max_chunk 1m;
+
+    #keepalive_timeout  0;
+    keepalive_timeout  65;
+    #tcp_nodelay        on;
+
+    #gzip  on;
+    #gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+
+    include /etc/nginx/conf.d/*.conf;
+    #include /etc/nginx/sites-enabled/*;
+
+    # cache for narinfo files
+    proxy_cache_path /var/cache/nginx/narinfo
+                    levels=2
+                    inactive=9h           # inactive keys removed after 9h
+                    keys_zone=narinfo:4m  # narinfo meta data: ~32K keys
+                    max_size=2g;          # total cache data size max
+
+    # cache for nar files
+    proxy_cache_path /var/cache/nginx/nar
+                    levels=2
+                    inactive=48h          # inactive keys removed after 48h
+                    keys_zone=nar:4m      # nar cache meta data: ~32K keys
+                    max_size=20g;         # total cache data size max
+
+    # cache for static data
+    proxy_cache_path /var/cache/nginx/static
+                    levels=1
+                    inactive=48h          # inactive keys removed after 2 days
+                    keys_zone=static:1m   # nar cache meta data: ~8K keys
+                    max_size=200m;        # total cache data size max
+
+    server {
+       listen       80;
+       server_name  hydra.gnu.org;
+
+       access_log  /var/log/nginx/hydra.access.log;
+
+       proxy_set_header X-Forwarded-Host $host;
+       proxy_set_header X-Forwarded-Port $server_port;
+       proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
+
+       # XXX Block AhrefsBot and Baiduspider for now
+       # TODO: Remove later in the hopes that they'll fetch
+       # our improved /robots.txt before continuing.
+       if ($http_user_agent ~ "AhrefsBot|Baiduspider") {
+          return 403;
+          break;
+       }
+
+       location / {
+           proxy_pass http://127.0.0.1:3000;
+       }
+
+       location /api {
+           # For the sake of the JS code at http://gnu.org/s/guix/packages.
+           #add_header 'Access-Control-Allow-Origin' '*';
+           #add_header 'Access-Control-Allow-Origin' 'https://www.gnu.org';
+           #add_header 'Access-Control-Allow-Origin' 'https://gnu.org';
+           add_header 'Access-Control-Allow-Origin' 'http://www.gnu.org';
+           #add_header 'Access-Control-Allow-Origin' 'http://gnu.org';
+           #add_header 'Access-Control-Allow-Origin' 
'https://www.gnu.org/software/guix/packages';
+           #add_header 'Access-Control-Allow-Origin' 
'https://www.gnu.org/software/guix/packages/';
+           #add_header 'Access-Control-Allow-Origin' 
'https://www.gnu.org/software/guix/packages/index.html';
+           #add_header 'Access-Control-Allow-Origin' 
'https://gnu.org/software/guix/packages/';
+           #add_header 'Access-Control-Allow-Origin' 
'http://www.gnu.org/software/guix/packages';
+           #add_header 'Access-Control-Allow-Origin' 
'http://www.gnu.org/software/guix/packages/';
+           #add_header 'Access-Control-Allow-Origin' 
'http://www.gnu.org/software/guix/packages/index.html';
+           #add_header 'Access-Control-Allow-Origin' 
'http://gnu.org/software/guix/packages/';
+           proxy_pass http://127.0.0.1:3000;
+       }
+
+       location /nar/ {
+           proxy_pass http://127.0.0.1:3000;
+
+           client_body_buffer_size 256k;
+
+           # Enable caching for nar files, to avoid reconstructing and 
recompressing
+           # archives.
+           proxy_cache nar;
+           proxy_cache_valid 200 72h;  # cache hits for 3 days.
+           proxy_cache_valid any 1m;   # cache misses/others for 1 min.
+
+           proxy_ignore_client_abort on;
+
+           # Disable chunked encoding to avoid enormous chunks.
+           #chunked_transfer_encoding off;
+
+           # Nars are already compressed.
+           gzip off;
+
+           # We need to hide and ignore the Set-Cookie header
+           # to enable caching.
+           proxy_hide_header    Set-Cookie;
+           proxy_ignore_headers Set-Cookie;
+
+           # Provide a 'content-length' header so that 'guix substitute-binary'
+           # knows upfront how much it is downloading.
+           #add_header Content-Length $body_bytes_sent;
+       }
+
+       location ~ /(nix-cache-info|static|logo|favicon\.ico) {
+           proxy_pass http://127.0.0.1:3000;
+
+           # Cache this file since that's always the first thing we ask for.
+           proxy_cache static;
+           proxy_cache_valid 200 100h;  # cache hits for a looong time.
+           proxy_cache_valid any 5m;    # cache misses/others for 5 min.
+           proxy_ignore_client_abort on;
+
+           # We need to hide and ignore the Set-Cookie header
+           # to enable caching.
+           proxy_hide_header    Set-Cookie;
+           proxy_ignore_headers Set-Cookie;
+       }
+
+       location ~ \.narinfo$ {
+           proxy_pass http://127.0.0.1:3000;
+
+           # For HTTP pipelining.  This has a dramatic impact on performance.
+           client_body_buffer_size 128k;
+
+           # Enable caching for narinfo files, to avoid recomputing nar 
signatures.
+           proxy_cache narinfo;
+           proxy_cache_valid 200 18h;  # cache hits for 18 hours.
+           proxy_cache_valid any 1m;   # cache misses/others for 1 min.
+
+           proxy_ignore_client_abort on;
+
+           # We need to hide and ignore the Set-Cookie header
+           # to enable caching.
+           proxy_hide_header    Set-Cookie;
+           proxy_ignore_headers Set-Cookie;
+       }
+
+       #error_page  404  /404.html;
+
+       # redirect server error pages to the static page /50x.html
+       #
+       #error_page   500 502 503 504  /50x.html;
+       #location = /50x.html {
+       #       root   /var/www/nginx-default;
+       #}
+    }
+
+    # TODO: HTTPS server
+    #
+    # We need to generate a certificate and investigate
+    # proper settings for ssl_protocols and ssl_ciphers.
+    #
+    #server {
+    #  listen       443;
+    #  server_name  hydra.gnu.org;
+    #
+    #  ssl_certificate      cert.pem;
+    #  ssl_certificate_key  cert.key;
+    #
+    #   ssl_session_cache    shared:SSL:1m;
+    #  ssl_session_timeout  5m;
+    #
+    #  ssl_ciphers  HIGH:!aNULL:!MD5;
+    #  ssl_prefer_server_ciphers  on;
+    #
+    #   access_log  /var/log/nginx/hydra.access.log;
+    #
+    #  proxy_set_header X-Forwarded-Host $host;
+    #   proxy_set_header X-Forwarded-Port $server_port;
+    #  proxy_set_header X-Forwarded-For  $proxy_add_x_forwarded_for;
+    #
+    #  location / {
+    #      proxy_pass http://127.0.0.1:3000;
+    #  }
+    #}
+}