nginx.conf 2.46 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43
# This is the nginx config file for guix-hpc.bordeaux.inria.fr.

user nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;

pcre_jit   on;

events {
    worker_connections  1024;
}

http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # We need to specify all these or nginx picks its own directory to
    # store them, which doesn't work because the store is read-only.
    client_body_temp_path /var/run/nginx/body;
    proxy_temp_path       /var/run/nginx/proxy;
    fastcgi_temp_path     /var/run/nginx/fastcgi;
    uwsgi_temp_path       /var/run/nginx/uwsgi;
    scgi_temp_path        /var/run/nginx/scgi;

    access_log	/var/log/nginx/access.log;

    sendfile        on;

    # Maximum chunk size to send.  Partly this is a workaround
    # for <http://bugs.gnu.org/19939>, but also the nginx docs
    # mention that "Without the limit, one fast connection may
    # seize the worker process entirely."
    # <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
    sendfile_max_chunk 1m;

    keepalive_timeout  65;

    server {
	listen       80;
	server_name  guix-hpc.bordeaux.inria.fr;
	access_log   /var/log/nginx/http.access.log;
44 45

	include nginx-locations.conf;
46
    }
47 48 49 50 51 52 53 54 55 56 57 58 59 60 61

    # Make sure SSL is disabled.
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

    # Disable weak cipher suites.
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    # Use our own DH parameters created with:
    #    openssl dhparam -out dhparams.pem 2048
    # as suggested at <https://weakdh.org/sysadmin.html>.
    ssl_dhparam         /etc/dhparams.pem;

    access_log   /var/log/nginx/http.access.log;

62 63 64 65 66 67 68
    server {
	listen       443 ssl;
	server_name  guix-hpc.bordeaux.inria.fr;

        ssl_certificate     /etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem;

69 70
	include nginx-locations.conf;
    }
71

72 73 74
    server {
	listen       443 ssl;
	server_name  hpc.guixsd.org;
75

76 77
        ssl_certificate     /etc/letsencrypt/live/hpc.guixsd.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/hpc.guixsd.org/privkey.pem;
78

79 80 81 82 83
	# For use by Certbot.
	location /.well-known {
	   root /var/www;
	}

84 85 86 87 88
	location ~ /(.*) {
	   # For now make a temporary redirect to inria.fr.  However,
	   # perhaps we should reverse things?
	   return 307 https://guix-hpc.bordeaux.inria.fr/$1;
	}
89
    }
90
}