auditor-nginx.conf.j2 (1614B)
1 server { 2 3 listen 443 ssl; 4 listen [::]:443 ssl; 5 6 # Do not identify as nginx 7 server_tokens off; 8 server_name auditor.{{ domain_name }}; 9 10 11 ssl_certificate /etc/letsencrypt/live/auditor/fullchain.pem; 12 ssl_certificate_key /etc/letsencrypt/live/auditor/privkey.pem; 13 ssl_trusted_certificate /etc/letsencrypt/live/auditor/chain.pem; 14 ssl_prefer_server_ciphers on; 15 ssl_session_cache shared:SSL:10m; 16 ssl_dhparam /etc/ssl/private/dhparam.pem; 17 ssl_protocols TLSv1.3 TLSv1.2; 18 ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; 19 20 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; 21 22 # Bigger than default timeout to support long polling 23 proxy_read_timeout 6500s; 24 keepalive_requests 1000000; 25 keepalive_timeout 6500s; 26 27 if ($http_user_agent ~* "Bytedance|bytespider|Amazonbot|Claude|Anthropic|AI|GPT|acebook") { return 451 ; } 28 29 error_log /var/log/nginx/auditor.{{ domain_name }}.err; 30 access_log /var/log/nginx/auditor.{{ domain_name }}.log; 31 32 access_log /var/log/nginx/auditor.{{ domain_name }}.tal taler if=$log_perf; 33 location / { 34 # Most of the API we will put behind simple access control for now. 35 if ($http_authorization != "Bearer {{ AUDITOR_ACCESS_TOKEN }}") { 36 return 401; 37 } 38 proxy_pass http://unix:/var/run/taler-auditor/httpd/auditor-http.sock; 39 } 40 41 # Paths without any access control 42 location = /config { 43 proxy_pass http://unix:/var/run/taler-auditor/httpd/auditor-http.sock; 44 } 45 location = /deposit-confirmation { 46 proxy_pass http://unix:/var/run/taler-auditor/httpd/auditor-http.sock; 47 } 48 49 }