limit_req_zone $binary_remote_addr zone=login:10m rate=2r/s; upstream app_server { server 127.0.0.1:12000 fail_timeout=0; } # Combined log with remote:local port logged log_format combined_port '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$remote_port:$server_port"'; # ----------------------------------------------------------------------------- # Redirect all sort of non-ssl (with and without www) to ssl without www # ----------------------------------------------------------------------------- server { listen 80; server_name dpaste.de www.dpaste.de dpaste.org www.dpaste.org; location / { rewrite ^ https://$server_name$request_uri? permanent; } } # ----------------------------------------------------------------------------- # SSL Hosts # ----------------------------------------------------------------------------- server { listen 443 ssl spdy; server_name dpaste.org www.dpaste.org; ssl_certificate /srv/dpaste.de/var/ssl/dpaste_org_unified.crt; ssl_certificate_key /srv/dpaste.de/var/ssl/dpaste_org.key; add_header Strict-Transport-Security max-age=25200; # Redirect to dpaste.de location / { rewrite ^/(.*)$ https://dpaste.de/$1 permanent; } } server { listen 443 ssl spdy; server_name dpaste.de www.dpaste.de; ssl_certificate /srv/dpaste.de/var/ssl_2015/ssl-unified.crt; ssl_certificate_key /srv/dpaste.de/var/ssl_2015/ssl.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AES256+EECDH:AES256+EDH; ssl_session_cache builtin:1000 shared:SSL:5m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=25200; # Rewrite www to non-www if ($host = www.dpaste.de) { rewrite ^/(.*)$ https://dpaste.de/$1 permanent; } access_log /srv/dpaste.de/var/nginx.access.log combined_port; error_log /srv/dpaste.de/var/nginx.error.log; keepalive_timeout 5; client_max_body_size 2M; location ~ /(favicon.ico|robots.txt) { access_log off; log_not_found off; expires 3d; } location /webalizer/ { alias /srv/dpaste.de/var/webalizer/; auth_basic "Restricted"; auth_basic_user_file /srv/dpaste.de/var/.htpasswd; } location /static/ { alias /srv/dpaste.de/var/static/; } location / { limit_req zone=login burst=5; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_buffering off; proxy_pass http://app_server; break; } }