# NGINX Reverse Caching Proxy # - HLS / ISM / MPD streaming cache # - Single configuration, nested configs not used # - Deploy to /etc/nginx/nginx.conf # - cache goes into /dev/shm user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; } http { # Directives # - $server_name tacked to log # - other options are defaults # Access log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" "$server_name"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; include /etc/nginx/mime.types; default_type application/octet-stream; index index.html index.htm; # Proxy log_format cache '$server_addr - $upstream_cache_status [$time_local] ' '"Cache-Control: $upstream_http_cache_control" ' '"Expires: $upstream_http_expires" ' '"$request" ($status) ' '"$http_user_agent" "$server_name"'; access_log /var/log/nginx/cache.log cache; proxy_buffering on; proxy_buffers 8 64k; proxy_cache_path /dev/shm/nginx levels=1:2 keys_zone=default_cache:10m inactive=20m max_size=2g; proxy_temp_path /dev/shm/nginx/tmp; proxy_cache_methods GET HEAD POST; proxy_cache_lock off; # No origin protection proxy_cache_use_stale off; # No stale data, hard failover proxy_bind 0.0.0.0; proxy_cache_valid 200 302 1m; #10m default proxy_cache_valid 301 1m; #1h default proxy_cache_valid any 1m; #1m default # Default Service # - All protocols # - Single backend pair with failover to a backup on x*y timeout failures # - Secondary backend could be different region, onprem, etc as uber-fallback # - health_check directive requires NGINX+ # - standard timeout used when health_check not available # - failover to the next upstream on any error or >2s timeout upstream default_backend { server %PRIMARYORIGINPRIVATEIP%:80 fail_timeout=15s weight=2000000000; # put other origins here } server { listen 80 default_server; listen [::]:80 default_server; server_name default_backend; access_log /var/log/nginx/access.log main; access_log /var/log/nginx/cache.log cache; add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Credentials' 'true'; location / { proxy_pass http://default_backend; proxy_cache default_cache; proxy_next_upstream error timeout invalid_header http_502 http_503 http_504; proxy_http_version 1.1; proxy_read_timeout 180s; proxy_connect_timeout 10s; proxy_set_header Connection ""; add_header X-Media-Cache-Status $upstream_cache_status; add_header X-Media-Handled-By $proxy_host; } location /server-status { stub_status on; } location /static/ { limit_except GET HEAD { deny all; } proxy_ignore_headers set-cookie; proxy_hide_header set-cookie; proxy_set_header cookie ""; # only rely on last-modified (which will never change) proxy_hide_header etag; # s3 replies with 403 if an object is inaccessible; essentially not found proxy_intercept_errors on; error_page 403 =404 /_error/http-404.html; proxy_pass %EGRESSBUCKETWEBSITEURL%; # annotate response about when it was originally retrieved add_header x-cache '$upstream_cache_status $upstream_http_date'; expires 24h; } } }