cirandas.net-etc

commit f9f51ee87e61e1ad8b6e93b5cb166a468a658dcf

Author: Pedro Lucas Porcellis <porcellis@eletrotupi.com>

nginx: splitting into reusable modules and sites

This way we can share snippets of configs between different sites, and
also can have single virtual hosts for each of the domains hosted inside
cirandas, like having the ability to add a certificate for
artgravata, or any other domain we might need.

It might be useful to throw this into a package so we can install and
update automatically.


  | 0 
 nginx/conf.d/cirandas-upstream.conf | 6 ++
 nginx/conf.d/http_geoip.conf | 2 
 nginx/conf.d/http_gzip_static.conf | 1 
 nginx/conf.d/maintenance.conf | 9 ++++
 nginx/conf.d/user-agent-denylist.conf | 4 +
 nginx/conf.d/web.conf | 44 ++++++++++++++++++++
 nginx/http.d/artgravata.com.br.conf | 30 +++++++++++++
 nginx/http.d/cirandas.net.conf | 26 +++++++++++
 nginx/http.d/metricas.cirandas.net.conf | 14 ++++++
 nginx/nginx.conf | 59 +++++++++++++++++++++++++++


diff --git a/nginx/cirandas b/nginx/cirandas
deleted file mode 100644
index a21091945739d2f9e7053117a4e288d93183e9cf..0000000000000000000000000000000000000000
--- a/nginx/cirandas
+++ /dev/null
@@ -1,197 +0,0 @@
-## MAIN ADDRESS wwW REMOVAL
-server {
-  listen 80;
-#  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.cirandas.net;
-  rewrite ^ $scheme://cirandas.net$request_uri?;
-}
-
-## CUSTOM DOMAINS WWW REMOVAL
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.bhakta.cirandas.net;
-  rewrite ^ $scheme://bhakta.cirandas.net$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.redemoinho.coop.br;
-  rewrite ^ $scheme://redemoinho.coop.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.facesdobrasil.org.br;
-  rewrite ^ $scheme://facesdobrasil.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.redeprosolidarios.org.br;
-  rewrite ^ $scheme://redeprosolidarios.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.eita.org.br;
-  rewrite ^ $scheme://eita.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.recantico.com.br;
-  rewrite ^ $scheme://recantico.com.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.dialogoseconvergencias.org;
-  rewrite ^ $scheme://dialogoseconvergencias.org$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.canore.coop.br;
-  rewrite ^ $scheme://canore.coop.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.unicafes.org.br;
-  rewrite ^ $scheme://unicafes.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.artgravata.com.br;
-  rewrite ^ $scheme://artgravata.com.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.terramirim.org.br;
-  rewrite ^ $scheme://terramirim.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.amabor.org.br;
-  rewrite ^ $scheme://amabor.org.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.serdosertao.coop.br;
-  rewrite ^ $scheme://serdosertao.coop.br$request_uri?;
-}
-server {
-  listen 80;
-  listen 443 ssl;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-
-  server_name www.feiradamatacafat.com.br;
-  rewrite ^ $scheme://feiradamatacafat.com.br$request_uri?;
-}
-
-## REDIRECTS
-
-upstream cirandas {
-  server unix:/home/cirandas/run/unicorn.sock;
-
-  keepalive 64;
-}
-
-
-
-server {
-  listen 80;
-  listen 443 ssl default_server;
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_certificate /etc/ssl/certs/cirandas-net.chained.crt;
-  ssl_certificate_key /etc/ssl/private/cirandas-net.key;
-
-  server_name bhakta.cirandas.net cirandas.net bhakta.cirandas.net redemoinho.coop.br facesdobrasil.org.br redeprosolidarios.org.br eita.org.br recantico.com.br dialogoseconvergencias.org canore.coop.br unicafes.org.br artgravata.com.br terramirim.org.br amabor.org.br serdosertao.coop.br feiradamatacafat.com.br;
-  port_in_redirect off;
-  root /home/cirandas/noosfero-ecosol/public;
-
-
-  if (-f $document_root/maintenance.html) {
-    return 503;
-  }
-  error_page 503 @maintenance;
-  location @maintenance {
-    rewrite ^(.*)$ /maintenance.html break;
-  }
-
-  access_log /home/cirandas/log/access.log combined;
-  error_log /home/cirandas/log/error.log;
-
-  location ~ '.+\.php$' {
-    return 404;
-  }
-
-  location ~ '/assets/.+-[^\.]{64}\..+$' {
-    add_header Cache-Control public;
-    expires 1y;
-    try_files $uri @proxy;
-  }
-
-  location / {
-    if ($http_user_agent = "") {
-      return 444;
-    }
-    if ($http_user_agent = "-") {
-      return 444;
-    }
-
-    if ($http_user_agent ~ (SemrushBot|msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot|MJ12bot|AhrefsBot|YandexBot|BDCbot|MegaIndex|UniLeipzigASV|DotBot|Typhoeus|Bingbot|bingbot|Yandex|Knowledge|PetalBot) ) {
-      access_log off;
-      return 444;
-    }
-
-    try_files index.html $uri @proxy;
-  }
-
-  location @proxy {
-    proxy_buffers               4 256k;
-    proxy_buffer_size           256k;
-    proxy_busy_buffers_size     256k;
-    proxy_temp_file_write_size  256k;
-
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_set_header X-Forwarded-Proto $scheme;
-    proxy_set_header Host $host;
-    proxy_pass http://cirandas;
-
-  }
-}




diff --git a/nginx/cirandas-original.conf b/nginx/cirandas-original.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a21091945739d2f9e7053117a4e288d93183e9cf
--- /dev/null
+++ b/nginx/cirandas-original.conf
@@ -0,0 +1,197 @@
+## MAIN ADDRESS wwW REMOVAL
+server {
+  listen 80;
+#  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.cirandas.net;
+  rewrite ^ $scheme://cirandas.net$request_uri?;
+}
+
+## CUSTOM DOMAINS WWW REMOVAL
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.bhakta.cirandas.net;
+  rewrite ^ $scheme://bhakta.cirandas.net$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.redemoinho.coop.br;
+  rewrite ^ $scheme://redemoinho.coop.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.facesdobrasil.org.br;
+  rewrite ^ $scheme://facesdobrasil.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.redeprosolidarios.org.br;
+  rewrite ^ $scheme://redeprosolidarios.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.eita.org.br;
+  rewrite ^ $scheme://eita.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.recantico.com.br;
+  rewrite ^ $scheme://recantico.com.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.dialogoseconvergencias.org;
+  rewrite ^ $scheme://dialogoseconvergencias.org$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.canore.coop.br;
+  rewrite ^ $scheme://canore.coop.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.unicafes.org.br;
+  rewrite ^ $scheme://unicafes.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.artgravata.com.br;
+  rewrite ^ $scheme://artgravata.com.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.terramirim.org.br;
+  rewrite ^ $scheme://terramirim.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.amabor.org.br;
+  rewrite ^ $scheme://amabor.org.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.serdosertao.coop.br;
+  rewrite ^ $scheme://serdosertao.coop.br$request_uri?;
+}
+server {
+  listen 80;
+  listen 443 ssl;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+
+  server_name www.feiradamatacafat.com.br;
+  rewrite ^ $scheme://feiradamatacafat.com.br$request_uri?;
+}
+
+## REDIRECTS
+
+upstream cirandas {
+  server unix:/home/cirandas/run/unicorn.sock;
+
+  keepalive 64;
+}
+
+
+
+server {
+  listen 80;
+  listen 443 ssl default_server;
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_certificate /etc/ssl/certs/cirandas-net.chained.crt;
+  ssl_certificate_key /etc/ssl/private/cirandas-net.key;
+
+  server_name bhakta.cirandas.net cirandas.net bhakta.cirandas.net redemoinho.coop.br facesdobrasil.org.br redeprosolidarios.org.br eita.org.br recantico.com.br dialogoseconvergencias.org canore.coop.br unicafes.org.br artgravata.com.br terramirim.org.br amabor.org.br serdosertao.coop.br feiradamatacafat.com.br;
+  port_in_redirect off;
+  root /home/cirandas/noosfero-ecosol/public;
+
+
+  if (-f $document_root/maintenance.html) {
+    return 503;
+  }
+  error_page 503 @maintenance;
+  location @maintenance {
+    rewrite ^(.*)$ /maintenance.html break;
+  }
+
+  access_log /home/cirandas/log/access.log combined;
+  error_log /home/cirandas/log/error.log;
+
+  location ~ '.+\.php$' {
+    return 404;
+  }
+
+  location ~ '/assets/.+-[^\.]{64}\..+$' {
+    add_header Cache-Control public;
+    expires 1y;
+    try_files $uri @proxy;
+  }
+
+  location / {
+    if ($http_user_agent = "") {
+      return 444;
+    }
+    if ($http_user_agent = "-") {
+      return 444;
+    }
+
+    if ($http_user_agent ~ (SemrushBot|msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot|MJ12bot|AhrefsBot|YandexBot|BDCbot|MegaIndex|UniLeipzigASV|DotBot|Typhoeus|Bingbot|bingbot|Yandex|Knowledge|PetalBot) ) {
+      access_log off;
+      return 444;
+    }
+
+    try_files index.html $uri @proxy;
+  }
+
+  location @proxy {
+    proxy_buffers               4 256k;
+    proxy_buffer_size           256k;
+    proxy_busy_buffers_size     256k;
+    proxy_temp_file_write_size  256k;
+
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Host $host;
+    proxy_pass http://cirandas;
+
+  }
+}




diff --git a/nginx/conf.d/cirandas-upstream.conf b/nginx/conf.d/cirandas-upstream.conf
new file mode 100644
index 0000000000000000000000000000000000000000..dfa546e20d86c1333fa94401bc2df941b6c913d7
--- /dev/null
+++ b/nginx/conf.d/cirandas-upstream.conf
@@ -0,0 +1,6 @@
+upstream cirandas {
+	# TODO: Move this into a server-wide configuration
+	server unix:/home/cirandas/run/unicorn.sock;
+
+	keepalive 64;
+}




diff --git a/nginx/conf.d/http_geoip.conf b/nginx/conf.d/http_geoip.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a9f7e7a8c78d940337946e94198e3db96e8eaad8
--- /dev/null
+++ b/nginx/conf.d/http_geoip.conf
@@ -0,0 +1,2 @@
+#geoip_country /srv/geoip/GeoIP.dat;
+#geoip_city /srv/geoip/GeoLiteCity.dat;




diff --git a/nginx/conf.d/http_gzip_static.conf b/nginx/conf.d/http_gzip_static.conf
new file mode 100644
index 0000000000000000000000000000000000000000..a8fc662adc7dd4a5f2114b86c71df3b867cb87bf
--- /dev/null
+++ b/nginx/conf.d/http_gzip_static.conf
@@ -0,0 +1 @@
+gzip_static off;




diff --git a/nginx/conf.d/maintenance.conf b/nginx/conf.d/maintenance.conf
new file mode 100644
index 0000000000000000000000000000000000000000..4ff082d0c476ea264f8a324267069209867d4d5f
--- /dev/null
+++ b/nginx/conf.d/maintenance.conf
@@ -0,0 +1,9 @@
+if (-f $document_root/maintenance.html) {
+	return 503;
+}
+
+error_page 503 @maintenance;
+
+location @maintenance {
+	rewrite ^(.*)$ /maintenance.html break;
+}




diff --git a/nginx/conf.d/user-agent-denylist.conf b/nginx/conf.d/user-agent-denylist.conf
new file mode 100644
index 0000000000000000000000000000000000000000..47c62b754157bd471bbac9ca984c22204be268df
--- /dev/null
+++ b/nginx/conf.d/user-agent-denylist.conf
@@ -0,0 +1,4 @@
+if ($http_user_agent ~ (SemrushBot|msnbot|Purebot|Baiduspider|Lipperhey|Mail.Ru|scrapbot|MJ12bot|AhrefsBot|YandexBot|BDCbot|MegaIndex|UniLeipzigASV|DotBot|Typhoeus|Bingbot|bingbot|Yandex|Knowledge|PetalBot)) {
+	access_log off;
+	return 444;
+}




diff --git a/nginx/conf.d/web.conf b/nginx/conf.d/web.conf
new file mode 100644
index 0000000000000000000000000000000000000000..8c96f0699dbf2f432644ab2fde1e28d1e3b80d3a
--- /dev/null
+++ b/nginx/conf.d/web.conf
@@ -0,0 +1,44 @@
+port_in_redirect off;
+root /home/cirandas/noosfero-ecosol/public;
+
+include conf.d/maintenance.conf;
+
+access_log /home/cirandas/log/access.log combined;
+error_log /home/cirandas/log/error.log;
+
+location ~ '.+\.php$' {
+	return 404;
+}
+
+location ~ '/assets/.+-[^\.]{64}\..+$' {
+	add_header Cache-Control public;
+	expires 1y;
+	try_files $uri @proxy;
+}
+
+location / {
+	if ($http_user_agent = "") {
+		return 444;
+	}
+
+	if ($http_user_agent = "-") {
+		return 444;
+	}
+
+	include conf.d/user-agent-denylist.conf;
+
+	try_files index.html $uri @proxy;
+}
+
+location @proxy {
+	proxy_buffers               4 256k;
+	proxy_buffer_size           256k;
+	proxy_busy_buffers_size     256k;
+	proxy_temp_file_write_size  256k;
+
+	proxy_set_header X-Real-IP $remote_addr;
+	proxy_set_header X-Forwarded-For $remote_addr;
+	proxy_set_header X-Forwarded-Proto $scheme;
+	proxy_set_header Host $host;
+	proxy_pass http://cirandas;
+}




diff --git a/nginx/http.d/artgravata.com.br.conf b/nginx/http.d/artgravata.com.br.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ce350e63a4651ab6fa8cc59c5ed5a90dd2f92eda
--- /dev/null
+++ b/nginx/http.d/artgravata.com.br.conf
@@ -0,0 +1,30 @@
+server {
+	listen 80;
+
+	server_name artgravata.com.br;
+	# rewrite ^ $scheme://cirandas.net$request_uri?;
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+
+	#include conf.d/web.conf;
+}
+
+server {
+	listen 443 ssl http2;
+	server_name artgravata.com.br;
+
+	ssl_certificate /etc/ssl/uacme/artgravata.com.br/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/artgravata.com.br/key.pem;
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	include conf.d/web.conf;
+}




diff --git a/nginx/http.d/cirandas.net.conf b/nginx/http.d/cirandas.net.conf
new file mode 100644
index 0000000000000000000000000000000000000000..d46203c49d6c7c1762c6e570cf20d0646c00fa5b
--- /dev/null
+++ b/nginx/http.d/cirandas.net.conf
@@ -0,0 +1,26 @@
+server {
+	listen 80;
+
+	server_name cirandas.net;
+	# rewrite ^ $scheme://cirandas.net$request_uri?;
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	include conf.d/web.conf;
+}
+
+server {
+	listen 443 ssl http2;
+	server_name cirandas.net;
+
+	ssl_certificate /etc/ssl/uacme/cirandas.net/cert.pem;
+	ssl_certificate_key /etc/ssl/uacme/private/cirandas.net/key.pem;
+
+	location ^~ /.well-known {
+		root /var/www;
+	}
+
+	include conf.d/web.conf;
+}




diff --git a/nginx/http.d/metricas.cirandas.net.conf b/nginx/http.d/metricas.cirandas.net.conf
new file mode 100644
index 0000000000000000000000000000000000000000..ed3edb0d7a6e6d4fab9d3abbfb872dbf6ca35402
--- /dev/null
+++ b/nginx/http.d/metricas.cirandas.net.conf
@@ -0,0 +1,14 @@
+server {
+	listen 80;
+
+	server_name metricas.cirandas.net;
+
+	location /metrics {
+		proxy_pass http://localhost:9100;
+		proxy_redirect off;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+}




diff --git a/nginx/nginx.conf b/nginx/nginx.conf
new file mode 100644
index 0000000000000000000000000000000000000000..f85911eed1e3af13e0646c17b6410212e3c056a0
--- /dev/null
+++ b/nginx/nginx.conf
@@ -0,0 +1,59 @@
+user www-data;
+worker_processes  4;
+
+error_log  /var/log/nginx/error.log;
+pid        /var/run/nginx.pid;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+
+
+  access_log    /var/log/nginx/access.log;
+
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+
+  keepalive_requests 100;
+  keepalive_timeout  300;
+
+
+  gzip  on;
+  gzip_http_version 1.0;
+  gzip_comp_level 2;
+  gzip_proxied any;
+  gzip_vary off;
+  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/rss+xml application/atom+xml text/javascript application/javascript application/json text/mathml;
+  gzip_min_length  1000;
+  gzip_disable     "MSIE [1-6]\.";
+
+
+  variables_hash_max_size 1024;
+  variables_hash_bucket_size 64;
+  server_names_hash_bucket_size 64;
+  types_hash_max_size 2048;
+  types_hash_bucket_size 64;
+  client_max_body_size 0;
+
+
+  large_client_header_buffers 4 16k;
+  proxy_connect_timeout 600;
+  proxy_send_timeout 600;
+  proxy_read_timeout 600;
+  send_timeout 60;
+  proxy_temp_path /var/tmp/nginx_proxy;
+  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=main:100m inactive=30d max_size=500m;
+  proxy_cache_key $scheme$host$uri$is_args$args;
+
+  include /etc/nginx/conf.d/http_geoip.conf;
+  include /etc/nginx/conf.d/http_gzip_static.conf;
+  include /etc/nginx/conf.d/cirandas-upstream.conf;
+  include /etc/nginx/http.d/*.conf;
+  #include /etc/nginx/sites-enabled/*;
+}