From b25128c0b976ae74f4bf14cb5cbd8a62cda0d9c0 Mon Sep 17 00:00:00 2001
From: "limin.zhang" <limin.zhang@eveus.com>
Date: Wed, 4 Jan 2023 14:27:37 +0800
Subject: [PATCH] =?UTF-8?q?2023.01.04=20=E5=A2=9E=E5=8A=A0nginx=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E6=96=87=E4=BB=B6=E3=80=82?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 nginx/api.conf          | 47 +++++++++++++++++++++++++++++++++
 nginx/default.conf      | 45 ++++++++++++++++++++++++++++++++
 nginx/kowl.conf         | 58 +++++++++++++++++++++++++++++++++++++++++
 nginx/notification.conf | 47 +++++++++++++++++++++++++++++++++
 nginx/sns.conf          | 47 +++++++++++++++++++++++++++++++++
 5 files changed, 244 insertions(+)
 create mode 100644 nginx/api.conf
 create mode 100644 nginx/default.conf
 create mode 100644 nginx/kowl.conf
 create mode 100644 nginx/notification.conf
 create mode 100644 nginx/sns.conf

diff --git a/nginx/api.conf b/nginx/api.conf
new file mode 100644
index 0000000..ce456ad
--- /dev/null
+++ b/nginx/api.conf
@@ -0,0 +1,47 @@
+upstream api {
+  server 172.20.24.171:9000;
+}
+
+server {
+  listen 80;
+  server_name api.prd.eveus.com;
+
+  # SSL is enabled forcefully
+  location / {
+    rewrite ^(.*)$ https://$host$1 permanent;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name api.prd.eveus.com;
+
+  ssl_certificate      /etc/nginx/keys/wild.eveus.com/fullchain.pem;
+  ssl_certificate_key  /etc/nginx/keys/wild.eveus.com/privkey.pem;
+  # enable OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers   on;
+  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:!aNULL:!MD5:!DSS:!EDH;
+
+
+  location / {
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    proxy_pass http://api;
+    proxy_set_header SSL_CLIENT_CERT $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z;
+    proxy_set_header Host               $host;
+    proxy_set_header X-Real-IP          $remote_addr;
+    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    #proxy_set_header Authorization          "";
+    #auth_basic "Access Eveus";
+    #auth_basic_user_file /etc/nginx/keys/htpasswd;
+  }
+}
+
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..da17c92
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,45 @@
+server {
+    listen       80;
+    server_name  localhost;
+
+    #access_log  /var/log/nginx/host.access.log  main;
+
+    location / {
+        proxy_pass http://127.0.0.1:9000;
+        #root   /usr/share/nginx/html;
+        #index  index.html index.htm;
+    }
+
+    #error_page  404              /404.html;
+
+    # redirect server error pages to the static page /50x.html
+    #
+    error_page   500 502 503 504  /50x.html;
+    location = /50x.html {
+        root   /usr/share/nginx/html;
+    }
+
+    # proxy the PHP scripts to Apache listening on 127.0.0.1:80
+    #
+    #location ~ \.php$ {
+    #    proxy_pass   http://127.0.0.1;
+    #}
+
+    # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
+    #
+    #location ~ \.php$ {
+    #    root           html;
+    #    fastcgi_pass   127.0.0.1:9000;
+    #    fastcgi_index  index.php;
+    #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
+    #    include        fastcgi_params;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    #location ~ /\.ht {
+    #    deny  all;
+    #}
+}
+
diff --git a/nginx/kowl.conf b/nginx/kowl.conf
new file mode 100644
index 0000000..d43eba8
--- /dev/null
+++ b/nginx/kowl.conf
@@ -0,0 +1,58 @@
+upstream kowl {
+  server 172.20.24.171:8080;
+}
+
+server {
+  listen 80;
+  server_name kowl.prd.eveus.com;
+
+  # SSL is enabled forcefully
+  location / {
+    rewrite ^(.*)$ https://$host$1 permanent;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name kowl.prd.eveus.com;
+
+  ssl_certificate      /etc/nginx/keys/wild.eveus.com/fullchain.pem;
+  ssl_certificate_key  /etc/nginx/keys/wild.eveus.com/privkey.pem;
+  # enable OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers   on;
+  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:!aNULL:!MD5:!DSS:!EDH;
+
+
+  location ~ /api/topics/(.*)/messages$ {
+    proxy_pass                              http://kowl;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+
+
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+  }
+
+  location / {
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    proxy_pass http://kowl;
+    proxy_set_header SSL_CLIENT_CERT $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z;
+    proxy_set_header Host               $host;
+    proxy_set_header X-Real-IP          $remote_addr;
+    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    #proxy_set_header Authorization          "";
+    #auth_basic "Access Eveus";
+    #auth_basic_user_file /etc/nginx/keys/htpasswd;
+  }
+}
+
diff --git a/nginx/notification.conf b/nginx/notification.conf
new file mode 100644
index 0000000..d636ded
--- /dev/null
+++ b/nginx/notification.conf
@@ -0,0 +1,47 @@
+upstream notification {
+  server 172.20.24.171:9006;
+}
+
+server {
+  listen 80;
+  server_name notification.prd.eveus.com;
+
+  # SSL is enabled forcefully
+  location / {
+    rewrite ^(.*)$ https://$host$1 permanent;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name notification.prd.eveus.com;
+
+  ssl_certificate      /etc/nginx/keys/wild.eveus.com/fullchain.pem;
+  ssl_certificate_key  /etc/nginx/keys/wild.eveus.com/privkey.pem;
+  # enable OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers   on;
+  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:!aNULL:!MD5:!DSS:!EDH;
+
+
+  location / {
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    proxy_pass http://notification;
+    proxy_set_header SSL_CLIENT_CERT $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z;
+    proxy_set_header Host               $host;
+    proxy_set_header X-Real-IP          $remote_addr;
+    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    #proxy_set_header Authorization          "";
+    #auth_basic "Access Eveus";
+    #auth_basic_user_file /etc/nginx/keys/htpasswd;
+  }
+}
+
diff --git a/nginx/sns.conf b/nginx/sns.conf
new file mode 100644
index 0000000..75d5754
--- /dev/null
+++ b/nginx/sns.conf
@@ -0,0 +1,47 @@
+upstream sns {
+  server 172.20.24.171:9006;
+}
+
+server {
+  listen 80;
+  server_name sns.prd.eveus.com;
+
+  # SSL is enabled forcefully
+  location / {
+    rewrite ^(.*)$ https://$host$1 permanent;
+  }
+}
+
+server {
+  listen 443 ssl;
+  server_name sns.prd.eveus.com;
+
+  ssl_certificate      /etc/nginx/keys/wild.eveus.com/fullchain.pem;
+  ssl_certificate_key  /etc/nginx/keys/wild.eveus.com/privkey.pem;
+  # enable OCSP stapling
+  ssl_stapling on;
+  ssl_stapling_verify on;
+  ssl_protocols  TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers   on;
+  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:!aNULL:!MD5:!DSS:!EDH;
+
+
+  location / {
+    # disable any limits to avoid HTTP 413 for large image uploads
+    client_max_body_size 0;
+
+    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
+    chunked_transfer_encoding on;
+
+    proxy_pass http://sns;
+    proxy_set_header SSL_CLIENT_CERT $a$b$c$d$e$f$g$h$i$j$k$l$m$n$o$p$q$r$s$t$u$v$w$x$y$z;
+    proxy_set_header Host               $host;
+    proxy_set_header X-Real-IP          $remote_addr;
+    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto  $scheme;
+    #proxy_set_header Authorization          "";
+    #auth_basic "Access Eveus";
+    #auth_basic_user_file /etc/nginx/keys/htpasswd;
+  }
+}
+