mort-nginx.config

user www-data;
worker_processes 1;
pid /run/nginx.pid;

http {
    ##
    # Basic Settings
    ##
    client_max_body_size 100m;
    large_client_header_buffers  100 8k;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 20;
    keepalive_requests 200;
    types_hash_max_size 2048;
    server_tokens off;

    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##


    log_format main '$remote_addr|$remote_port - $remote_user [$time_local] - $http_host '
    '"$request" $status $body_bytes_sent '
    '"$http_referer" "$http_user_agent" '
    '[$bytes_sent::$request_time cache=$upstream_cache_status] '
    '[rtt=$tcpinfo_rtt rttvar=$tcpinfo_rttvar snd_cwnd=$tcpinfo_snd_cwnd rcv_space=$tcpinfo_rcv_space] '
    '[$connection $connection_requests] '
    '[scheme=$scheme]';


    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log;
    ##
    # Proxy buffer
    ##

    proxy_buffer_size   128k;
    proxy_buffers   6 256k;
    proxy_busy_buffers_size   256k;


    ##
    # Proxy cache
    ##

    proxy_cache_path  /cache/static levels=1:2 keys_zone=static:50m max_size=291m inactive=10d;
    proxy_temp_path /var/tmp;
    proxy_cache_path /cache/dynamic levels=1:2 keys_zone=dynamic:50m max_size=73m inactive=5d;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length  1000;
    gzip_proxied     expired no-cache no-store private auth;
    gzip_comp_level 4;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript text/html;

    ##
    # Brotli Settings
    ##

    brotli on;
    brotli_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/html;
    brotli_comp_level 4;
    brotli_min_length  1000;

    ##
    # Mort settings
    ##


    upstream mort {
        server unix:/var/run/mort/mort.sock;
        server 127.0.0.1:8080 backup;
    }

    upstream mort-monitoring {
        server 127.0.0.1:8081;
    }


    ##
    # server configuration
    ##
    server {
        server_name mort;

        root /var/www/mort/public/;

        # bind for all interfaces
        listen 80;
        listen 127.0.0.1:80;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        # SSL config
        ssl_certificate   /etc/nginx/ssl/mort/mort.pem;
        ssl_certificate_key    /etc/nginx/ssl/mort/private-mort.pem;
        ssl_trusted_certificate /etc/nginx/ssl/mort/full-chain.mort.pem;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;

        # max body size
        client_max_body_size 1g;

        # set default variables
        set $no_cache 0;
        set $bypass_cache 0;
        set $content_encoding "0";

        # size of Range requests. For that you need nginx with slice module enabled. You can use for example
        # http://repo.mkaciuba.pl/nginx-extras-amd64-1.13.11.deb
        slice 5m;

        # check if client can handle gzip
        if ($http_accept_encoding ~* "gzip") {
           set $content_encoding "$content_encoding-1";
        }

        # check if client can handle brotli
        if ($http_accept_encoding ~* "br") {
           set $content_encoding "$content_encoding-2";
        }

         # don't cache/server from cache response when Authorization header present. Useful for S3 upload, head etc
         if ($http_authorization) {
           set $no_cache "1";
           set $bypass_cache "1";
        }

        # when signed url don't use cache
        if ($arg_x_amz_signature) {
           set $no_cache "1";
           set $bypass_cache "1";
        }

        # cache bucket
        proxy_cache static;

        proxy_http_version 1.1;

        proxy_connect_timeout 100ms;
        proxy_read_timeout 60s;
        proxy_send_timeout 120s;
        proxy_cache_bypass $bypass_cache;
        proxy_no_cache $no_cache;

        proxy_cache_lock on;
        proxy_cache_lock_age 5s;
        proxy_cache_lock_timeout 10s;

        proxy_cache_revalidate on;
        proxy_cache_methods GET HEAD;

        # use for caching only that query string argument that can change image
        proxy_cache_key "$request_method!mort.mkaciuba.com!$uri!$arg_operation!$arg_angle!$arg_sigma!$arg_grayscale!$arg_width!$arg_height!$arg_gravity!$arg_position!$arg_format!$arg_image!$arg_sigma!$content_encoding!$slice_range";
        proxy_cache_use_stale  updating  error timeout invalid_header http_502 http_503 http_504;
        proxy_cache_background_update on;
        proxy_cache_convert_head off;

        proxy_set_header Host 'mort.mkaciuba.com';
        proxy_set_header X-Origin-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Range $slice_range;
        proxy_set_header X-Origin-Method $request_method;

        proxy_cache_purge PURGE from 127.0.0.0/8;

        # location for prometheus metrics
        location /metrics  {
            allow 192.168.1.0/24;
            deny all;

            proxy_pass http://mort-monitoring;
        }

        location / {
            proxy_pass http://mort;
        }

    }
}