blob: 35cedf5edbc25112169a5eaba9539396e3cd8489 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
#!/usr/bin/env bash
# Based on
# https://www.exratione.com/2014/03/running-nginx-as-a-non-root-user/
# https://github.com/exratione/non-root-nginx/blob/9a77f62e5d5cb9c9026fd62eece76b9514011019/nginx.conf
# USAGE: ./boulder-integration.conf.sh /path/to/root cert.key cert.pem >> nginx.conf
ROOT=$1
CERT_KEY_PATH=$2
CERT_PATH=$3
cat <<EOF
# This error log will be written regardless of server scope error_log
# definitions, so we have to set this here in the main scope.
#
# Even doing this, Nginx will still try to create the default error file, and
# log a non-fatal error when it fails. After that things will work, however.
error_log $ROOT/error.log;
# The pidfile will be written to /var/run unless this is set.
pid $ROOT/nginx.pid;
worker_processes 1;
events {
worker_connections 1024;
}
http {
# Set an array of temp, cache and log file options that will otherwise default to
# restricted locations accessible only to root.
client_body_temp_path $ROOT/client_body;
fastcgi_temp_path $ROOT/fastcgi_temp;
proxy_temp_path $ROOT/proxy_temp;
#scgi_temp_path $ROOT/scgi_temp;
#uwsgi_temp_path $ROOT/uwsgi_temp;
access_log $ROOT/error.log;
# This should be turned off in a Virtualbox VM, as it can cause some
# interesting issues with data corruption in delivered files.
sendfile off;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
#include /etc/nginx/mime.types;
index index.html index.htm index.php;
log_format main '\$remote_addr - \$remote_user [\$time_local] \$status '
'"\$request" \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
default_type application/octet-stream;
server {
# IPv4.
listen 5002 $default_server;
# IPv6.
listen [::]:5002 $default_server;
server_name nginx.wtf nginx2.wtf;
root $ROOT/webroot;
location / {
# First attempt to serve request as file, then as directory, then fall
# back to index.html.
try_files \$uri \$uri/ /index.html;
}
}
server {
listen 5002;
listen [::]:5002;
server_name nginx3.wtf;
root $ROOT/webroot;
location /.well-known/ {
return 404;
}
return 301 https://\$host\$request_uri;
}
server {
listen 8082;
listen [::]:8082;
server_name nginx4.wtf nginx5.wtf;
}
server {
listen 5002;
listen [::]:5002;
listen 5001 ssl;
listen [::]:5001 ssl;
if (\$scheme != "https") {
return 301 https://\$host\$request_uri;
}
server_name nginx6.wtf nginx7.wtf;
ssl_certificate ${CERT_PATH};
ssl_certificate_key ${CERT_KEY_PATH};
}
}
EOF
|