proxy params, ssl permissins and mime types

2026-02-03 03:21:54 +08:00 · 2018-08-16 23:04:55 +03:00
parent f2dde902ce
commit 18301d5f54
5 changed files with 931 additions and 4 deletions
--- a/kvmd/configs/nginx/nginx.conf
+++ b/kvmd/configs/nginx/nginx.conf
@@ -0,0 +1,123 @@
+load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
+
+user http;
+worker_processes 4;
+
+# error_log /tmp/nginx.error.log;
+error_log /dev/null crit;
+
+events {
+	worker_connections 1024;
+	use epoll;
+}
+
+http {
+	access_log off;
+
+	include /etc/nginx/mime-types.conf;
+	default_type application/octet-stream;
+	charset utf-8;
+
+	sendfile on;
+	keepalive_timeout 10;
+
+	client_body_temp_path	/tmp/nginx.client_body_temp;
+	fastcgi_temp_path		/tmp/nginx.fastcgi_temp;
+	proxy_temp_path			/tmp/nginx.proxy_temp;
+	scgi_temp_path			/tmp/nginx.scgi_temp;
+	uwsgi_temp_path			/tmp/nginx.uwsgi_temp;
+
+	upstream kvmd {
+		server localhost:8081 fail_timeout=0s max_fails=0;
+	}
+
+	upstream mjpg_streamer {
+		server localhost:8082 fail_timeout=0s max_fails=0;
+	}
+
+#PROD	server {
+#PROD		listen 80;
+#PROD		server_name localhost;
+#PROD		return 301 https://$host$request_uri;
+#PROD	}
+
+#PROD	lua_shared_dict WS_TOKENS 10m;
+#PROD	init_by_lua_block {
+#PROD		WS_TOKEN_EXPIRES = 10;
+#PROD	}
+
+	server {
+#PROD		listen 443 ssl http2;
+		server_name localhost;
+
+#PROD		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+#PROD		ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+#PROD		ssl_certificate /etc/nginx/ssl/server.crt;
+#PROD		ssl_certificate_key /etc/nginx/ssl/server.key;
+
+#PROD		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+#PROD		auth_basic "Restricted Area";
+#PROD		auth_basic_user_file /etc/nginx/htpasswd;
+
+		location / {
+			root /usr/share/kvmd/web;
+			index index.html;
+		}
+
+		location /wsauth {
+			# Workaround for Safari: https://bugs.webkit.org/show_bug.cgi?id=80362
+#PROD			access_by_lua_block {
+#PROD				local token = ngx.encode_base64(ngx.sha1_bin(ngx.var.http_Authorization));
+#PROD				ngx.shared.WS_TOKENS:set(token, token, WS_TOKEN_EXPIRES);
+#PROD				ngx.header["Set-Cookie"] = "WS_ACCESS_TOKEN=" .. token .. "; Path=/; Expires=" .. ngx.cookie_time(ngx.time() + WS_TOKEN_EXPIRES);
+#PROD			}
+			content_by_lua_block {
+				ngx.say("ok");
+			}
+		}
+
+		location /kvmd/ws {
+#PROD			auth_basic off;
+#PROD			access_by_lua_block {
+#PROD				local token = ngx.var.cookie_WS_ACCESS_TOKEN;
+#PROD				local value, _ = ngx.shared.WS_TOKENS:get(token);
+#PROD				if value == nil then
+#PROD					ngx.exec("/wsauth");
+#PROD				end
+#PROD			}
+			rewrite /kvmd/ws /ws break;
+			proxy_pass http://kvmd;
+			include /etc/nginx/proxy-params.conf;
+			proxy_set_header Upgrade $http_upgrade;
+			proxy_set_header Connection "upgrade";
+			proxy_connect_timeout 7d;
+			proxy_send_timeout 7d;
+			proxy_read_timeout 7d;
+		}
+
+		location /kvmd/msd/write {
+			rewrite /kvmd/msd/write /msd/write break;
+			proxy_pass http://kvmd;
+			include /etc/nginx/proxy-params.conf;
+			limit_rate 6250k;
+			limit_rate_after 50k;
+			client_max_body_size 0;
+			proxy_request_buffering off;
+		}
+
+		location /kvmd {
+			rewrite /kvmd/?(.*) /$1 break;
+			proxy_pass http://kvmd;
+			include /etc/nginx/proxy-params.conf;
+		}
+
+		location /streamer {
+			rewrite /streamer/?(.*) /$1 break;
+			proxy_pass http://mjpg_streamer;
+			include /etc/nginx/proxy-params.conf;
+			proxy_buffering off;
+			proxy_ignore_headers X-Accel-Buffering;
+		}
+	}
+}