infrastructure/roles/security_tracker/templates/nginx.d.conf.j2

# uwsgi caching zone
uwsgi_cache_path /var/lib/nginx/cache/ levels=1:2 keys_zone=sec_cache:5m max_size=1g inactive=60m use_temp_path=off;

# limit requests to 5 r/s to block DoS attempts with a burst of 10.
limit_req_zone $binary_remote_addr zone=sec_req_limit:10m rate=5r/s;

# limit http status: 429 Too Many Requests
limit_req_status 429;

upstream security-tracker {
    server unix:///run/uwsgi/security-tracker.sock;
}

server {
    listen       80;
    listen       [::]:80;
    server_name  {{ security_tracker_domain }};

    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ security_tracker_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    include      snippets/listen-443.conf;
    server_name  {{ security_tracker_domain }};

    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ security_tracker_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ security_tracker_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ security_tracker_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ security_tracker_domain }}/chain.pem;

    location = /google9fb65bdd43709b25.html {
        # verification code for anthraxx
        return 200 "google-site-verification: google9fb65bdd43709b25.html";
    }

    location /static/ {
        alias {{ security_tracker_dir }}/tracker/static/;
    }

    # API/RSS endpoint
    location ~* .*(atom|json)$ {
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;

        include uwsgi_params;
        uwsgi_pass security-tracker;
        uwsgi_cache sec_cache;
        uwsgi_cache_valid 5m;
        uwsgi_cache_key "$request_method$request_uri";

        limit_req zone=sec_req_limit burst=5 nodelay;
    }

    # Web UI endpoint
    location / {
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log main;
        access_log   /var/log/nginx/{{ security_tracker_domain }}/access.log.json json_main;

        include uwsgi_params;
        uwsgi_pass security-tracker;

        limit_req zone=sec_req_limit burst=10 nodelay;
    }
}