### Rozhuk Ivan 2009.04 - 2012 ### nginx configuration file ### user www www; daemon on; worker_processes 2; worker_priority 0; pid /var/run/nginx.pid; master_process on; timer_resolution 100ms; pcre_jit on; # [ debug | info | notice | warn | error | crit ] #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; events { worker_connections 65535; # use [ kqueue | rtsig | epoll | /dev/poll | select | poll ]; use kqueue; accept_mutex on; accept_mutex_delay 100ms; multi_accept on; } http { include mime.types; #default_type application/octet-stream; uninitialized_variable_warn on; resolver 127.0.0.1; resolver_timeout 8s; sendfile on; sendfile_max_chunk 0; aio sendfile; read_ahead 4m; directio off; tcp_nopush on; tcp_nodelay on; send_lowat 0; keepalive_timeout 65 60; send_timeout 60m; reset_timedout_connection on; # GZip module gzip off; gzip_min_length 256; gzip_comp_level 9; gzip_types text/css text/xml application/x-javascript application/atom+xml application/rss+xml text/mathml text/plain text/vnd.sun.j2me.app-descriptor text/vnd.wap.wml text/x-component image/vnd.wap.wbmp image/x-icon image/svg+xml application/java-archive application/msword application/pdf application/postscript application/rtf application/vnd.ms-excel application/vnd.ms-powerpoint application/vnd.wap.wmlc application/vnd.wap.xhtml+xml application/x-shockwave-flash application/x-x509-ca-cert application/octet-stream audio/midi; gzip_http_version 1.1; gzip_proxied off; gzip_vary off; ##gzip_static off; #gzip_buffers 4 8k; #gzip_disable regex [regex ...]; # SSI module ssi off; ssi_silent_errors off; ###ssi_types text/html; server { listen *:80 default_server rcvbuf=4k sndbuf=64k accept_filter=httpready; server_name ""; index index.html index.htm index.cgi index.php default.htm default.html; root /usr/local/www/; access_log off; # deny access to .htaccess, .htpasswd files location ~* /\.ht { deny all; } # deny access to protected files location ~* \.(engine|inc|info|install|module|profile|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template)$ { deny all; } # deny access to phpMyAdmin lib files location ~* /phpMyAdmin/libraries/ { deny all; } # server stat location ^~ /status { stub_status on; access_log off; allow 10.0.0.0/8; allow 127.0.0.0/8; allow 169.254.0.0/16; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; } # serve static files directly location ~* ^.+\.(jpg|jpeg|gif|css|png|js|ico)$ { access_log off; expires 30d; add_header Last-Modified: $date_gmt; } # redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/local/www/nginx-dist; } } # squid %) map $host $host_av_white_listed { hostnames; #include proxy/av_dom_whitelist.acl; } map $host $host_av_black_listed { hostnames; include proxy/av_dom_blocked.acl; } map $host $host_adv_white_listed { hostnames; include proxy/adv_dom_whitelist.acl; } map $host $host_adv_black_listed { hostnames; include proxy/adv_dom_blocked.acl; include proxy/adv_dom_re_blocked.acl; } map $uri $uri_adv_black_listed { include proxy/adv_url_blocked.acl; } map $host$uri$is_args$args $uri_custom_blocked { include proxy/cust_url_blocked.acl; } proxy_cache_path /var/nginx/proxy/cache levels=1:2 keys_zone=www_cache:256m inactive=365d max_size=16G loader_files=128; log_format proxy_full_log '$remote_addr - $remote_user [$time_local] "$http_host" "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; server { listen 0.0.0.0:8080 default_server rcvbuf=16k sndbuf=64k accept_filter=httpready so_keepalive=30m::10; listen [::]:8080 default_server rcvbuf=16k sndbuf=64k accept_filter=httpready so_keepalive=30m::10 ipv6only=on; # Allow proxy only for local nets. allow 10.0.0.0/8; allow 127.0.0.0/8; allow 169.254.0.0/16; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; # Log access_log off; #access_log /dev/stdout proxy_full_log; #error_log /dev/stdout info; # Timeouts settings. ## client keepalive_timeout 75s; client_header_timeout 8s; client_body_timeout 30s; send_timeout 8s; reset_timedout_connection on; ## server proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 5m; #proxy_bind 0.0.0.0; #proxy_bind 2001:470:1f14:8e::2; #proxy_method #proxy_send_lowat on; send_lowat 1460; lingering_close on; lingering_time 8s; lingering_timeout 4s; postpone_output 0; tcp_nodelay on; tcp_nopush on; # Request headers tuning merge_slashes on; ignore_invalid_headers on; underscores_in_headers off; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Host $http_host; #proxy_set_header Connection close; ## filter some headers proxy_set_header Accept */*; proxy_set_header Accept-Language ""; proxy_set_header Accept-Charset ""; proxy_set_header Proxy-Connection ""; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_pass_request_body on; # for off: proxy_set_header Content-Length 0; #proxy_set_body # Reply headers tuning chunked_transfer_encoding off; msie_padding off; msie_refresh off; server_name_in_redirect off; server_tokens on; proxy_ignore_headers X-Accel-Buffering X-Accel-Expires X-Accel-Limit-Rate X-Accel-Redirect; proxy_pass_header Date; proxy_pass_header Server; #proxy_hide_header proxy_redirect off; proxy_cookie_domain off; proxy_cookie_path off; # Buffers ## client client_body_buffer_size 16k; client_body_in_file_only off; client_body_in_single_buffer off; client_header_buffer_size 16k; large_client_header_buffers 4 16k; client_max_body_size 1m; ## server proxy_buffering on; proxy_buffers 4 64k; #proxy_buffer_size 8k; # Cache proxy_cache www_cache; #off; # proxy_store off; proxy_cache_methods GET; # bypass HEAD request. Other way entire file loaded to cache if ($request_method = HEAD) { set $nocache 1; } proxy_cache_bypass $http_authorization $nocache; proxy_no_cache $http_authorization $nocache; proxy_cache_key $scheme$http_host$uri$is_args$args; proxy_cache_lock on; proxy_cache_lock_timeout 30s; proxy_cache_min_uses 1; proxy_cache_use_stale off; proxy_cache_valid 5m; # Cache time for: 200, 301, 302 if no "Expires" / "Cache-Control" in headers proxy_cache_valid any 8s; if_modified_since before; # off/exact/before # Buffering + cache proxy_temp_path /var/nginx/proxy/temp; proxy_max_temp_file_size 0; # off proxy_temp_file_write_size 64k; open_file_cache off; # Error handling proxy_ignore_client_abort off; proxy_next_upstream error timeout; proxy_intercept_errors on; recursive_error_pages on; error_page 599 = @return_filtered; error_page 598 = @empty_img; error_page 597 = /empty.mpeg; root /usr/local/www/; set $abc $host$uri$is_args$args; location / { # ivi adv filter for samsung if ($abc ~* "dfs\.digitalaccess\.ru\/mp4-..\/.*\/f36\.vcp\.digitalaccess\.ru\/.*\.mp4$") { #return 444; #return 598; return http://172.16.0.254/empty.mpeg; } if ($uri_custom_blocked) { return 599; } if ($host_av_white_listed) { set $host_av_black_listed ""; } if ($host_av_black_listed) { return 599; } if ($host_adv_white_listed) { set $host_adv_black_listed ""; set $uri_adv_black_listed ""; } if ($host_adv_black_listed) { return 599; } if ($uri_adv_black_listed) { return 599; } proxy_pass http://$http_host; #proxy_pass http://$host$uri; #proxy_pass http://$host:$proxy_port; #proxy_pass http://$request; } location @return_filtered { internal; if ($uri ~* ^.+\.(jpg|jpeg|gif|png)$) { return 598; } expires -1; return 200; } location @empty_img { internal; expires -1; empty_gif; } } }