-
Notifications
You must be signed in to change notification settings - Fork 16
/
nginx-common.conf
109 lines (89 loc) · 3.2 KB
/
nginx-common.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# use 'listen 80 deferred;' for Linux
# use 'listen 80 accept_filter=httpready;' for FreeBSD
listen {{port}};
client_max_body_size 250M;
keepalive_timeout 5;
# path for static files
root ./public;
# simplify redirect with relative path
absolute_redirect off;
# redirect /en/ locales to english
location ~ ^/en/(.*) {
return 301 /$1;
}
location /api/action/status_show {
auth_basic off;
# health check need a redirect to resolve
proxy_redirect off;
set $backend_servers $internal_url:61443;
proxy_pass https://${backend_servers}${request_uri};
}
location / {
# Protect catalog from expensive API calls
rewrite ^/api/rest/dataset$ /api/action/package_search redirect;
rewrite ^/api/1/rest/dataset$ /api/3/action/package_search redirect;
rewrite ^/api/2/rest/dataset$ /api/3/action/package_search redirect;
rewrite ^/api/action/package_list$ /api/action/package_search redirect;
rewrite ^/api/3/action/package_list$ /api/3/action/package_search redirect;
rewrite ^/api/action/current_package_list_with_resources$ /api/action/package_search redirect;
rewrite ^/api/3/action/current_package_list_with_resources$ /api/3/action/package_search redirect;
rewrite ^/api/3/action/resource_search$ /api/action/package_search redirect;
rewrite ^/api/action/resource_search$ /api/action/package_search redirect;
# checks for static file, if not found proxy to app
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# proxy_set_header Host $http_host;
# we don't want nginx trying to do something clever with
# redirects, we set the Host: header above already.
proxy_redirect off;
set $backend_servers $internal_url:61443;
proxy_pass https://${backend_servers}${request_uri};
}
location = /robots.txt {
root ./public;
}
# for google search console registration
location = /googlef06939d03de4c107.html {
root ./public;
}
location = /sitemap.xml {
# these values should be replaced by .profile
set $s3_url s3_url_placeholder;
set $s3_bucket s3_bucket_placeholder;
proxy_pass https://${s3_url}/${s3_bucket}/sitemap.xml;
}
location /sitemap {
set $s3_url s3_url_placeholder;
set $s3_bucket s3_bucket_placeholder;
proxy_pass https://${s3_url}/${s3_bucket}$request_uri;
}
proxy_intercept_errors on;
error_page 500 502 504 /500.html;
location = /500.html {
root ./public;
}
# NGINX searches for a URI that starts with /static-assets/ in the ./public/static-assets/ directory
location /static-assets/ {}
# prevent users from accessing: '/dataset/new' route, 'package_create' and 'resource_create' API routes
location ~ ^/(dataset\/new|api\/action\/package_create|api\/action\/resource_create)/?$ {
set $deny {{env "DENY_PACKAGE_CREATE"}};
if ($deny = 'true') {
return 403;
}
try_files $uri @proxy_to_app;
}
# use local path for map tiles so that they
# can be cached by the CDN
location /maptiles {
# only allow requests generated from our apps
valid_referers server_names *.data.gov *.app.cloud.gov;
if ($invalid_referer) {
return 403;
}
rewrite ^/maptiles/(.*)/(.*)/(.*).png$ /$1/$2/$3.png break;
proxy_redirect off;
proxy_pass https://tile.openstreetmap.org/;
}