# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ssl_dhparam /etc/nginx/dhparam.pem; resolver 185.110.149.2 185.110.148.2; # Yoda! server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; add_header Strict-Transport-Security max-age=15768000; server_name yoda.tg16.gathering.org; location /display { allow 185.110.148.24; allow 2a06:5841:1337::24; allow 185.110.148.25; allow 2a06:5841:1337::25; allow 185.110.148.26; allow 2a06:5841:1337::26; allow 2a06:5841:150a::/64; allow 185.110.150.0/25; deny all; } #location / { # return 301 https://$host$request_uri; #} } # Munin server { listen 80; listen [::]:80; access_log /var/log/nginx/munin.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/munin.tg16.gathering.org_ssl_error.log error; root /var/www/html; server_name munin.tg16.gathering.org; allow 185.110.150.0/25; allow 2a06:5841:150a::/64; allow 185.110.149.0/26; allow 2a06:5841:149a::/64; allow 185.110.148.0/26; allow 2a06:5841:1337::/64; allow 185.110.151.0/27; allow 2a06:5841:151a::/64; deny all; location ^~ /munin-cgi/munin-cgi-graph/ { fastcgi_split_path_info ^(/munin-cgi/munin-cgi-graph)(.*); fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/var/run/munin/fastcgi-graph.sock; include fastcgi_params; } location /munin/static/ { alias /etc/munin/static/; } location /munin/ { fastcgi_split_path_info ^(/munin)(.*); fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/var/run/munin/fastcgi-html.sock; include fastcgi_params; rewrite ^/munin/(.*.png)$ /munin-cgi/munin-cgi-graph/$1; } location = / { return 301 $scheme://$server_name/munin/; } } # Yoda! server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log /var/log/nginx/yoda.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/yoda.tg16.gathering.org_ssl_error.log error; server_name yoda.tg16.gathering.org; add_header Strict-Transport-Security max-age=0; add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_certificate /root/le/prodcerts/yoda.prod.pem; ssl_certificate_key /root/le/keys/domain.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; client_max_body_size 10m; ssl_stapling on; ssl_stapling_verify on; root /var/www/html; index index.pl index.html; location ~ \.pl|cgi$ { try_files $uri =404; gzip off; fastcgi_pass 127.0.0.1:8999; fastcgi_index index.pl; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location / { try_files $uri $uri/ =404; } } # Webcam server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log /var/log/nginx/webcam.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/webcam.tg16.gathering.org_ssl_error.log error; server_name webcam.tg16.gathering.org webcams.tg16.gathering.org; add_header Strict-Transport-Security max-age=0; add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_certificate /root/le/prodcerts/yoda.prod.pem; ssl_certificate_key /root/le/keys/domain.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; client_max_body_size 10m; ssl_stapling on; ssl_stapling_verify on; root /var/www/webcam; location / { return 301 http://stream.tg16.gathering.org/; #try_files $uri $uri/ =404; } } # Stream server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log /var/log/nginx/stream.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/stream.tg16.gathering.org_ssl_error.log error; server_name stream.tg16.gathering.org streams.tg16.gathering.org; #add_header Strict-Transport-Security max-age=15768000; add_header Strict-Transport-Security max-age=0; #add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_certificate /root/le/prodcerts/yoda.prod.pem; ssl_certificate_key /root/le/keys/domain.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; client_max_body_size 10m; ssl_stapling on; ssl_stapling_verify on; root /var/www/stream/; index index.pl index.html; location /hls { types { #application/vnd.apple.mpegurl m3u8; application/x-mpegURL m3u8; video/mp2t ts; text/html htm; } root /var/www/; add_header Cache-Control no-cache; } location /stat { allow 185.110.150.0/25; allow 2a06:5841:150a::/64; allow 185.110.149.0/26; allow 2a06:5841:149a::/64; allow 185.110.148.0/26; allow 2a06:5841:1337::/64; allow 185.110.151.0/27; allow 2a06:5841:151a::/64; deny all; rtmp_stat all; rtmp_stat_stylesheet /stat.xsl; } location /stat.xsl { allow 185.110.150.0/25; allow 2a06:5841:150a::/64; allow 185.110.149.0/26; allow 2a06:5841:149a::/64; allow 185.110.148.0/26; allow 2a06:5841:1337::/64; allow 185.110.151.0/27; allow 2a06:5841:151a::/64; deny all; } location ~ \.pl|cgi$ { try_files $uri =404; gzip off; fastcgi_pass 127.0.0.1:8999; fastcgi_index index.pl; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location / { return 301 http://$host$request_uri; #try_files $uri $uri/ =404; } } # Stream server { listen 80; listen [::]:80; access_log /var/log/nginx/stream.tg16.gathering.org_access.log; error_log /var/log/nginx/stream.tg16.gathering.org_error.log error; server_name stream.tg16.gathering.org streams.tg16.gathering.org; add_header Strict-Transport-Security max-age=0; client_max_body_size 10m; root /var/www/stream/; # index index.pl index.html; index index.pl index.py index.html; location /hls { types { #application/vnd.apple.mpegurl m3u8; application/x-mpegURL m3u8; video/mp2t ts; text/html htm; } root /var/www/; add_header Cache-Control no-cache; } location /stat { allow 185.110.150.0/25; allow 2a06:5841:150a::/64; allow 185.110.149.0/26; allow 2a06:5841:149a::/64; allow 185.110.148.0/26; allow 2a06:5841:1337::/64; allow 185.110.151.0/27; allow 2a06:5841:151a::/64; deny all; rtmp_stat all; rtmp_stat_stylesheet /stat.xsl; } location /stat.xsl { allow 185.110.150.0/25; allow 2a06:5841:150a::/64; allow 185.110.149.0/26; allow 2a06:5841:149a::/64; allow 185.110.148.0/26; allow 2a06:5841:1337::/64; allow 185.110.151.0/27; allow 2a06:5841:151a::/64; deny all; } location ~ \.py { try_files $uri =404; fastcgi_pass unix:/tmp/index-fcgi.sock; fastcgi_index index.py; fastcgi_param PATH_INFO $fastcgi_path_info; include fastcgi_params; } location ~ \.pl|cgi$ { try_files $uri =404; gzip off; fastcgi_pass 127.0.0.1:8999; fastcgi_index index.pl; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location / { try_files $uri $uri/ =404; } } # NMS-backend upstream nms { server obi-wan.tg16.gathering.org; keepalive 32; } # NMS server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log /var/log/nginx/nms.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/nms.tg16.gathering.org_ssl_error.log error; server_name nms.tg16.gathering.org nms-public.tg16.gathering.org nms-api.tg16.gathering.org nms4.tg16.gathering.org nms6.tg16.gathering.org; add_header Strict-Transport-Security max-age=15768000; add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_certificate /root/le/prodcerts/yoda.prod.pem; ssl_certificate_key /root/le/keys/domain.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; client_max_body_size 10m; ssl_stapling on; ssl_stapling_verify on; location / { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://nms; proxy_http_version 1.1; proxy_set_header Connection ""; } } # Stats server { listen 443 ssl http2; listen [::]:443 ssl http2; access_log /var/log/nginx/stats.tg16.gathering.org_ssl_access.log; error_log /var/log/nginx/stats.tg16.gathering.org_ssl_error.log error; server_name stats.tg16.gathering.org; add_header Strict-Transport-Security max-age=15768000; add_header Public-Key-Pins 'pin-sha256="47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU="; pin-sha256="DqEaRBrMacYurT/HXzsxYONYXAyhWRgNa3/+g3920uQ="; max-age=5184000; includeSubDomains'; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:!CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; ssl_certificate /root/le/prodcerts/yoda.prod.pem; ssl_certificate_key /root/le/keys/domain.key; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; client_max_body_size 10m; ssl_stapling on; ssl_stapling_verify on; root /var/www/stats; location / { try_files $uri $uri/ =404; } }