dpaste/server/nginx.conf

limit_req_zone $binary_remote_addr zone=login:10m rate=2r/s;

upstream app_server {
    server 127.0.0.1:12000 fail_timeout=0;
}

# Combined log with remote:local port logged
log_format combined_port '$remote_addr - $remote_user [$time_local] '
                         '"$request" $status $body_bytes_sent '
                         '"$http_referer" "$http_user_agent" "$remote_port:$server_port"';

# -----------------------------------------------------------------------------
# Redirect all sort of non-ssl (with and without www) to ssl without www
# -----------------------------------------------------------------------------
server {
    listen 80;
    
    server_name     dpaste.de 
                www.dpaste.de
                    dpaste.org
                www.dpaste.org;

    location / {
        rewrite ^ https://$server_name$request_uri? permanent;
    }

    location /.well-known/acme-challenge/ {
        alias /var/www/challenges/;
        try_files $uri =404;
    }
}

# -----------------------------------------------------------------------------
# SSL Hosts
# -----------------------------------------------------------------------------

server {
    listen 443 ssl spdy;

    server_name dpaste.org www.dpaste.org;

    ssl on;
    ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_org_chained.pem;
    ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_org.key;
    ssl_dhparam /etc/ssl/dhparam.pem;

    # SSL modern config for modern browsers Pete told me
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security max-age=25200;

    # Redirect to dpaste.de
    location / {
        rewrite  ^/(.*)$  https://dpaste.de/$1 permanent;
    }
}

server {
    listen 443 ssl spdy;

    server_name dpaste.de www.dpaste.de;

    ssl on;
    ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_de_chained.pem;
    ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_de.key;
    ssl_dhparam /etc/ssl/dhparam.pem;

    # SSL modern config for modern browsers Pete told me
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security max-age=25200;
    
    # Rewrite www to non-www
    if ($host = www.dpaste.de) {
        rewrite  ^/(.*)$  https://dpaste.de/$1 permanent;
    }

    access_log /srv/dpaste.de/var/nginx.access.log combined_port;
    error_log /srv/dpaste.de/var/nginx.error.log;

    keepalive_timeout 5;
    client_max_body_size 10M;

    location ~ /(favicon.ico|robots.txt) {
        access_log off;
        log_not_found off;
        expires 3d;
    }

    location /webalizer/ {
        alias /srv/dpaste.de/var/webalizer/;
        auth_basic "Restricted";
        auth_basic_user_file /srv/dpaste.de/var/.htpasswd;
    }

    location /static/ {
        alias /srv/dpaste.de/var/static/;
    }

    location / {
        
        limit_req zone=login burst=5;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://app_server;
        break;
    }
}
Rate limiting; allow 2r/s so we can do a POST and GET of a snippet faster 2014-12-13 08:30:15 +11:00			`limit_req_zone $binary_remote_addr zone=login:10m rate=2r/s;`
Some basic rate limiting 2014-12-13 08:25:43 +11:00
New config files due to server movement 2013-05-27 05:40:16 +10:00			`upstream app_server {`
			`server 127.0.0.1:12000 fail_timeout=0;`
			`}`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`# Combined log with remote:local port logged`
			`log_format combined_port '$remote_addr - $remote_user [$time_local] '`
			`'"$request" $status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent" "$remote_port:$server_port"';`

Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00			`# -----------------------------------------------------------------------------`
			`# Redirect all sort of non-ssl (with and without www) to ssl without www`
			`# -----------------------------------------------------------------------------`
New config files due to server movement 2013-05-27 05:40:16 +10:00			`server {`
			`listen 80;`
Listen on IPv6 2015-10-25 22:28:19 +11:00
Further nginx improvements 2014-12-13 06:16:51 +11:00			`server_name dpaste.de`
			`www.dpaste.de`
			`dpaste.org`
			`www.dpaste.org;`
SSL settings 2013-05-29 08:35:01 +10:00
			`location / {`
			`rewrite ^ https://$server_name$request_uri? permanent;`
			`}`
Updated SSL conf using letsencrypt 2015-12-09 02:12:55 +11:00
			`location /.well-known/acme-challenge/ {`
			`alias /var/www/challenges/;`
			`try_files $uri =404;`
			`}`
SSL server config 2013-05-27 19:26:36 +10:00			`}`
New config files due to server movement 2013-05-27 05:40:16 +10:00
Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00			`# -----------------------------------------------------------------------------`
			`# SSL Hosts`
			`# -----------------------------------------------------------------------------`
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00
			`server {`
Further nginx improvements 2014-12-13 06:16:51 +11:00			`listen 443 ssl spdy;`
Listen on IPv6 2015-10-25 22:28:19 +11:00
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`server_name dpaste.org www.dpaste.org;`

Updated SSL conf using letsencrypt 2015-12-09 02:12:55 +11:00			`ssl on;`
			`ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_org_chained.pem;`
			`ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_org.key;`
			`ssl_dhparam /etc/ssl/dhparam.pem;`

			`# SSL modern config for modern browsers Pete told me`
			`ssl_prefer_server_ciphers on;`
			`ssl_protocols TLSv1.1 TLSv1.2;`
			ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`add_header Strict-Transport-Security max-age=25200;`

			`# Redirect to dpaste.de`
			`location / {`
			`rewrite ^/(.*)$ https://dpaste.de/$1 permanent;`
			`}`
			`}`

SSL server config 2013-05-27 19:26:36 +10:00			`server {`
Further nginx improvements 2014-12-13 06:16:51 +11:00			`listen 443 ssl spdy;`
Listen on IPv6 2015-10-25 22:28:19 +11:00
Listen on all sort of domains 2013-06-06 04:46:55 +10:00			`server_name dpaste.de www.dpaste.de;`
Removed message 2013-05-31 19:47:02 +10:00
Updated SSL conf using letsencrypt 2015-12-09 02:12:55 +11:00			`ssl on;`
			`ssl_certificate /srv/dpaste.de/etc/ssl/dpaste_de_chained.pem;`
			`ssl_certificate_key /srv/dpaste.de/etc/ssl/dpaste_de.key;`
			`ssl_dhparam /etc/ssl/dhparam.pem;`

			`# SSL modern config for modern browsers Pete told me`
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`ssl_prefer_server_ciphers on;`
Updated SSL conf using letsencrypt 2015-12-09 02:12:55 +11:00			`ssl_protocols TLSv1.1 TLSv1.2;`
			ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
New config files due to server movement 2013-05-27 05:40:16 +10:00
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`add_header Strict-Transport-Security max-age=25200;`

Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00			`# Rewrite www to non-www`
More precise url handling 2013-09-28 05:28:07 +10:00			`if ($host = www.dpaste.de) {`
Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00			`rewrite ^/(.*)$ https://dpaste.de/$1 permanent;`
			`}`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`access_log /srv/dpaste.de/var/nginx.access.log combined_port;`
			`error_log /srv/dpaste.de/var/nginx.error.log;`
Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`keepalive_timeout 5;`
Increased paste size to 10M 2015-11-04 02:49:28 +11:00			`client_max_body_size 10M;`
New config files due to server movement 2013-05-27 05:40:16 +10:00
Do not log favicon/robots GET calls 2014-12-15 09:19:03 +11:00			`location ~ /(favicon.ico\|robots.txt) {`
			`access_log off;`
			`log_not_found off;`
			`expires 3d;`
			`}`

Added webalizer config 2014-12-25 23:56:39 +11:00			`location /webalizer/ {`
			`alias /srv/dpaste.de/var/webalizer/;`
			`auth_basic "Restricted";`
			`auth_basic_user_file /srv/dpaste.de/var/.htpasswd;`
			`}`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`location /static/ {`
			`alias /srv/dpaste.de/var/static/;`
Added a https www-to-non-www redirect. 2013-06-06 04:44:31 +10:00			`}`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`location / {`
Some basic rate limiting 2014-12-13 08:25:43 +11:00
			`limit_req zone=login burst=5;`

Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header Host $http_host;`
			`proxy_redirect off;`
			`proxy_buffering off;`
Further nginx improvements 2014-12-13 06:16:51 +11:00			`proxy_pass http://app_server;`
			`break;`
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00			`}`
New config files due to server movement 2013-05-27 05:40:16 +10:00			`}`
Simplified nginx conf. Redirect .org to .de 2014-12-13 06:06:29 +11:00