setup/start/nginx/nginx.conf

user www-data;

worker_processes  1;

pid /run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format
    log_format combined2 '$remote_addr - [$time_local] '
        '"$request" $status $body_bytes_sent $request_time '
        '"$http_referer" "$host" "$http_user_agent"';

    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined2;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not whole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second


    # default http server that returns 404 for any domain we are not listening on
    server {
        listen      80 default_server;
        listen      [::]:80 default_server;
        server_name does_not_match_anything;

        # acme challenges (for app installation and re-configure when the vhost config does not exist)
        location /.well-known/acme-challenge/ {
            default_type text/plain;
            alias /home/yellowtent/platformdata/acme/;
        }

        location / {
            return 404;
        }
    }

    include applications/*.conf;
}
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`user www-data;`

			`worker_processes 1;`

			`pid /run/nginx.pid;`

			`events {`
			`worker_connections 1024;`
			`}`

			`http {`
			`include mime.types;`
			`default_type application/octet-stream;`

			`# the collectd config depends on this log format`
			`log_format combined2 '$remote_addr - [$time_local] '`
			`'"$request" $status $body_bytes_sent $request_time '`
log the host in nginx logs 2017-07-21 09:43:44 -07:00			`'"$http_referer" "$host" "$http_user_agent"';`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Set server_names_hash_bucket_size e2e tests fail like so when the hostnames are long Thu, 23 Jul 2015 20:40:23 GMT box:apptask test8629 writing config to /home/yellowtent/data/nginx/applications/a3822f18-2f95-4b73-b8e9-2983dfcaae31.conf Thu, 23 Jul 2015 20:40:23 GMT box:shell.js reloadNginx execFile: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/reloadnginx.sh Thu, 23 Jul 2015 20:40:24 GMT box:shell.js reloadNginx (stderr): nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 64 Thu, 23 Jul 2015 20:40:24 GMT box:shell.js reloadNginx code: 1, signal: null Thu, 23 Jul 2015 20:40:24 GMT box:apptask test8629 error installing app: Error: Exited with error 1 signal null Thu, 23 Jul 2015 20:40:24 GMT box:apptask test8629 installationState: pending_install progress: 15, Configure nginx ^[[1m^[[31mERROR^[[39m^[[22m Exited with error 1 signal null ^[[1m[ /home/yellowtent/box/src/apptask.js:909:32 ]^[[22m ^[[32mstack: ^[[39m """ Error: Exited with error 1 signal null at ChildProcess.<anonymous> (/home/yellowtent/box/src/shell.js:38:53) at ChildProcess.emit (events.js:110:17) at Process.ChildProcess._handle.onexit (child_process.js:1074:12) """ ^[[32mmessage: ^[[39mExited with error 1 signal null 2015-07-23 13:54:57 -07:00			`# required for long host names`
Fix typo 2015-07-23 14:30:15 -07:00			`server_names_hash_bucket_size 128;`
Set server_names_hash_bucket_size e2e tests fail like so when the hostnames are long Thu, 23 Jul 2015 20:40:23 GMT box:apptask test8629 writing config to /home/yellowtent/data/nginx/applications/a3822f18-2f95-4b73-b8e9-2983dfcaae31.conf Thu, 23 Jul 2015 20:40:23 GMT box:shell.js reloadNginx execFile: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/reloadnginx.sh Thu, 23 Jul 2015 20:40:24 GMT box:shell.js reloadNginx (stderr): nginx: [emerg] could not build the server_names_hash, you should increase server_names_hash_bucket_size: 64 Thu, 23 Jul 2015 20:40:24 GMT box:shell.js reloadNginx code: 1, signal: null Thu, 23 Jul 2015 20:40:24 GMT box:apptask test8629 error installing app: Error: Exited with error 1 signal null Thu, 23 Jul 2015 20:40:24 GMT box:apptask test8629 installationState: pending_install progress: 15, Configure nginx ^[[1m^[[31mERROR^[[39m^[[22m Exited with error 1 signal null ^[[1m[ /home/yellowtent/box/src/apptask.js:909:32 ]^[[22m ^[[32mstack: ^[[39m """ Error: Exited with error 1 signal null at ChildProcess.<anonymous> (/home/yellowtent/box/src/shell.js:38:53) at ChildProcess.emit (events.js:110:17) at Process.ChildProcess._handle.onexit (child_process.js:1074:12) """ ^[[32mmessage: ^[[39mExited with error 1 signal null 2015-07-23 13:54:57 -07:00
Set full path for nginx access log 2017-07-18 21:49:12 -07:00			`access_log /var/log/nginx/access.log combined2;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
			`sendfile on;`

set timeouts explicitly 2016-06-01 17:33:04 -07:00			`# timeout for client to finish sending headers`
			`client_header_timeout 30s;`

			`# timeout for reading client request body (successive read timeout and not whole body!)`
			`client_body_timeout 60s;`

document keepalive_timeout 2016-06-01 16:51:52 -07:00			`# keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds`
			`keepalive_timeout 65s;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Rate limit nginx routes that verify the password Also remove rate-limit middleware Test using something like: ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login Part of #187 2017-03-26 23:27:34 -07:00			`# zones for rate limiting`
Fine tune rate limits a bit more 2017-03-29 16:03:08 -07:00			`limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second`
Rate limit nginx routes that verify the password Also remove rate-limit middleware Test using something like: ab -v 1 -n 1000 -c 10 -s 5 -m POST https://my.<doamain>/api/v1/developer/login Part of #187 2017-03-26 23:27:34 -07:00
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00
Configure http server to only listen on known vhosts/IP For the rest it returns 404 Fixes #446 2017-10-26 21:50:16 -07:00			`# default http server that returns 404 for any domain we are not listening on`
			`server {`
			`listen 80 default_server;`
			`listen [::]:80 default_server;`
			`server_name does_not_match_anything;`
serve acme directory from nginx 2015-12-08 19:04:48 -08:00
Fix LE cert renewal failures LE contacts the server by hostname and not by IP. This means that when installing and reconfiguring the app it hits the default_server route since nginx configs for the app are not generated at. When doing in the daily cert renew, the nginx configs exist and we are unable to renew the certs. 2017-11-02 11:29:51 -07:00			`# acme challenges (for app installation and re-configure when the vhost config does not exist)`
acme challenges must be answered by default_server The challenge must be answered even before app nginx config is available. 2017-10-28 23:30:12 -07:00			`location /.well-known/acme-challenge/ {`
			`default_type text/plain;`
			`alias /home/yellowtent/platformdata/acme/;`
			`}`

app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`location / {`
Configure http server to only listen on known vhosts/IP For the rest it returns 404 Fixes #446 2017-10-26 21:50:16 -07:00			`return 404;`
app.portBindings and newManifest.tcpPorts may be null 2015-07-20 00:09:47 -07:00			`}`
			`}`

			`include applications/*.conf;`
			`}`