encode-proxy-nginx.conf

user www-data;
worker_processes  auto;
worker_rlimit_nofile 8192;
events {
    worker_connections  2048;
}
http {
    # Use upstream to support keepalive
    upstream test {
        server v39-test.instance.encodedcc.org;
        keepalive 30;
    }
    upstream production {
        server v39hotfix1.production.encodedcc.org;
        keepalive 30;
    }

    resolver 127.0.0.1;
    resolver_timeout 5s;
    include  mime.types;
    client_max_body_size 500m;
    default_type  application/octet-stream;
    keepalive_timeout  65;
    proxy_buffers 8 16k;
    proxy_send_timeout    5m;
    proxy_read_timeout    5m;
    send_timeout    5m;

    merge_slashes off;

    # https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    log_format combined_stats '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$upstream_http_x_stats&request_time=$request_time" $host';
    access_log /var/log/nginx/access.log combined_stats;

    server {
        listen 80;
        access_log off;
        location / {
            if ($request_method !~ ^(GET)|(HEAD)$) {
                return 405;
            }
            if ($http_authorization ~ .) {
                return 403 "Forbidden. HTTPS required for authenticated access.";
            }
            return  301  https://$host$request_uri;
        }
        location = /_nginx_healthcheck {
            add_header Content-Type text/plain;
            return 200 'ok';
        }
    }

    server {
        listen 171.67.205.79:443 ssl spdy default_server;
        server_name ~^(?<servername>[^.]+)\.demo\.encodedcc\.org$;
        ssl_certificate         /etc/nginx/ssl/demo.encodedcc.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/demo.encodedcc.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/demo.encodedcc.org/ca.chained.pem;
        add_header Strict-Transport-Security max-age=15768000;  # 6 months
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location / {
            # Normalize duplicate slashes
            if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
                return 301 $2/$3;
            }
            proxy_set_header  Host  $host;
            proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto  $scheme;
            proxy_pass  http://$servername.instance.encodedcc.org;
            proxy_http_version  1.1;
            proxy_set_header  Connection  "";
        }
        location ~ ^/_proxy/(.*)$ {
            internal;
            # Clear auth and content-type headers when passing to s3 bucket (SNO-34/ENCD-4007).
            proxy_set_header Authorization "";
            proxy_set_header Content-Type "";
            proxy_buffering off;
            proxy_pass $1$is_args$args;
        }
    }

    server {
        listen 171.67.205.78:443 ssl spdy default_server;
        server_name test.encodedcc.org;
        ssl_certificate         /etc/nginx/ssl/encodedcc.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/encodedcc.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/encodedcc.org/ca.chained.pem;
        add_header Strict-Transport-Security max-age=15768000;  # 6 months
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location / {
            # Normalize duplicate slashes
            if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
                return 301 $2/$3;
            }
            proxy_set_header  Host  $host;
            proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto  $scheme;
            proxy_pass  http://test;
            proxy_http_version  1.1;
            proxy_set_header  Connection  "";
        }
        location ~ ^/_proxy/(.*)$ {
            internal;
            # Clear auth and content-type headers when passing to s3 bucket (SNO-34/ENCD-4007).
            proxy_set_header Authorization "";
            proxy_set_header Content-Type "";
            proxy_buffering off;
            proxy_pass $1$is_args$args;
        }
    }

    server {
        listen 171.67.205.70:443 ssl spdy default_server;
        server_name www.encodeproject.org;
        ssl_certificate         /etc/nginx/ssl/encodeproject.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/encodeproject.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/encodeproject.org/ca.chained.pem;
        add_header Strict-Transport-Security max-age=15768000;  # 6 months
        access_log /var/log/nginx/encodeproject.org.log combined_stats;
        location / {
            # Normalize duplicate slashes
            if ($request ~ ^(GET|HEAD)\s([^?]*)//(.*)\sHTTP/[0-9.]+$) {
                return 301 $2/$3;
            }
            proxy_set_header  Host  $host;
            proxy_set_header  X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header  X-Forwarded-Proto  $scheme;
            proxy_pass  http://production;
            proxy_http_version  1.1;
            proxy_set_header  Connection  "";
        }
        location ~ ^/_proxy/(.*)$ {
            internal;
            # Clear auth and content-type headers when passing to s3 bucket (SNO-34/ENCD-4007).
            proxy_set_header Authorization "";
            proxy_set_header Content-Type "";
            proxy_buffering off;
            proxy_pass $1$is_args$args;
        }
    }

    server {
        listen 171.67.205.70:443 ssl spdy;
        server_name encodeproject.org;
        ssl_certificate         /etc/nginx/ssl/encodeproject.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/encodeproject.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/encodeproject.org/ca.chained.pem;
        add_header Strict-Transport-Security max-age=15768000;  # 6 months
        access_log off;
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location / {
            if ($request_method !~ ^(GET)|(HEAD)$) {
                return 405  "Must use https://www.encodeproject.org.";
            }
            return  301  https://www.encodeproject.org$request_uri;
        }
    }

    server {
        listen 171.67.205.78:443 ssl spdy;
        server_name www.encodedcc.org encodedcc.org;
        ssl_certificate         /etc/nginx/ssl/encodedcc.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/encodedcc.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/encodedcc.org/ca.chained.pem;
        add_header Strict-Transport-Security max-age=15768000;  # 6 months
        access_log off;
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location / {
            if ($request_method !~ ^(GET)|(HEAD)$) {
                return 405  "Must use https://www.encodeproject.org.";
            }
            return  301  https://www.encodeproject.org$request_uri;
        }
    }

    server {
        listen 171.67.205.70:443 ssl spdy;
        server_name download.encodeproject.org;
        ssl_certificate         /etc/nginx/ssl/encodeproject.org/server.chained.pem;
        ssl_certificate_key     /etc/nginx/ssl/encodeproject.org/server.key;
        ssl_trusted_certificate /etc/nginx/ssl/encodeproject.org/ca.chained.pem;
        access_log /var/log/nginx/download.encodeproject.org.log combined_stats;
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location ~ ^/(https?://(encode-files|encoded-files-dev)\.s3\.amazonaws\.com(:80|:443)?/.*)$ {
            # Clear auth and content-type headers when passing to s3 bucket (SNO-34/ENCD-4007).
            proxy_set_header Authorization "";
            proxy_set_header Content-Type "";
            proxy_buffering off;
            proxy_pass $1$is_args$args;
        }
    }

    server {
        listen 80;
        server_name ~^(.*ftp.*|encodedcc.stanford.edu)$;
        #ssl_certificate         /etc/nginx/ssl/encodedcc.org/server.chained.pem;
        #ssl_certificate_key     /etc/nginx/ssl/encodedcc.org/server.key;
        #ssl_trusted_certificate /etc/nginx/ssl/encodedcc.org/ca.chained.pem;
        access_log /var/log/nginx/ftp.encodedcc.org.log combined_stats;
        location = /robots.txt {
            add_header Content-Type text/plain;
            return 200 'User-agent: *\nDisallow: /\n';
        }
        location / {
            proxy_buffering off;
            proxy_pass      http://encode-ftp.s3-website-us-west-2.amazonaws.com/;
        }
        location ~ ^(.*)/ftp(/.*)$ {
            return 301 $1$2;
	}
    }

}