# load_module snippets for installed modules include /etc/nginx/modules-enabled/*.conf; # a very silly syntax rendering bug needs this */ daemon off; user app; worker_processes auto; worker_cpu_affinity auto; pid /run/nginx.pid; env YT_POT_BGUTIL_BASE_URL; events { worker_connections 1024; } http { # Basic settings sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 300; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 64; server_name_in_redirect off; client_body_in_file_only clean; client_body_buffer_size 32K; client_max_body_size 100M; send_timeout 300s; large_client_header_buffers 4 8k; # Mime type handling include /etc/nginx/mime.types; default_type application/octet-stream; # Default security headers add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # Logging log_format host '$remote_addr - $remote_user [$time_local] "[$host] $request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"'; access_log /dev/stdout; error_log stderr; # GZIP gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # Caching proxy requests proxy_cache_lock on; proxy_cache_use_stale updating; # temporary files in shared memory proxy_temp_path /dev/shm/nginx-tmp 1; # change this to /config/cache/nginx for a persistent cache proxy_cache_path /dev/shm/nginx-cache levels=1:2:2 keys_zone=gunicorn:4m inactive=48h max_size=256m min_free=16m; # X-Forwarded-Host (pass-through, or set) map $http_x_forwarded_host $x_forwarded_host { default $http_x_forwarded_host; "" $http_host; } # X-Forwarded-Proto (pass-through, or set) map $http_x_forwarded_proto $x_forwarded_proto { default $http_x_forwarded_proto; "" $scheme; } # Set the default port based on X-Forwarded-Proto map $x_forwarded_proto $default_http_port { default 80; "https" 443; } # Extract the remote port from the HTTP Host header. # Uses default_http_port from above, # when no port was found in the header. map $http_host $x_remote_port { default $default_http_port; "~^[^\:]+:(?

\d+)$" $p; } # X-Forwarded-Port (pass-through, or set) map $http_x_forwarded_port $x_forwarded_port { default $http_x_forwarded_port; "" $x_remote_port; } # Site server { # Ports listen 4848; listen [::]:4848; # Web root root /docs; index index.html; # Proxy proxy_buffers 32 4k; proxy_set_header Connection ""; # Server domain name server_name _; # Authentication and proxying location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host localhost:$proxy_port; proxy_set_header X-Forwarded-Host $x_forwarded_host; proxy_set_header X-Forwarded-Port $x_forwarded_port; proxy_set_header X-Forwarded-Proto $x_forwarded_proto; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; # this read timeout should be lower than gunicorn's timeout proxy_read_timeout 89s; proxy_connect_timeout 10s; # cache long running web requests proxy_cache gunicorn; proxy_cache_lock_timeout 88s; } # File dwnload and streaming location /media-data/ { internal; alias /downloads/; } } # Proof-of-Origin Token Server include /etc/nginx/token_server.conf; }