-
-
Notifications
You must be signed in to change notification settings - Fork 400
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: enable attributes / personal search on OBF, OPF, OPFF, new conf…
…ig + logos for OPF & OPFF (#10757) - Some changes to enable knowledge panels on OBF, OPF and OPFF - new conf files for new deployments of OPF and OPFF - new logos for OPF and OPFF Test deployments (with the production databases): https://world.new.openproductsfacts.org https://world.new.openpetfoodfacts.org --------- Co-authored-by: Alex Garel <[email protected]>
- Loading branch information
1 parent
b0cfea1
commit 7e25d9a
Showing
268 changed files
with
8,930 additions
and
1,227 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,158 +1,135 @@ | ||
| ## | ||
| # You should look at the following URL's in order to grasp a solid understanding | ||
| # of Nginx configuration files in order to fully unleash the power of Nginx. | ||
| # http://wiki.nginx.org/Pitfalls | ||
| # http://wiki.nginx.org/QuickStart | ||
| # http://wiki.nginx.org/Configuration | ||
| # Default server configuration - nginx_status | ||
| # | ||
| # Generally, you will want to move this file somewhere, and start with a clean | ||
| # file but keep this around for reference. Or just disable in sites-enabled. | ||
| # | ||
| # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. | ||
| ## | ||
|
|
||
| # Default server configuration | ||
| # | ||
|
|
||
|
|
||
|
|
||
|
|
||
| server { | ||
| listen 80 ; | ||
| listen [::]:80 ; | ||
|
|
||
| #listen 443 ssl; | ||
| #listen [::]:443 ssl; | ||
|
|
||
| #include snippets/ssl.openproductsfacts.org; | ||
| #include snippets/ssl-params.conf; | ||
|
|
||
|
|
||
| server_name openproductsfacts.org; | ||
| return 301 https://world.openproductsfacts.org$request_uri; | ||
| listen 80 default_server; | ||
| listen [::]:80 default_server; | ||
| server_name _; | ||
|
|
||
| # nginx_status configuration, need for Munin | ||
| location /nginx_status { | ||
| stub_status on; | ||
| access_log off; | ||
| allow all; | ||
| } | ||
| } | ||
|
|
||
| include /etc/nginx/snippets/expires-no-json-xml.conf; | ||
| # variables definitions for expiry headers are loaded from /etc/nginx/conf.d/expires-no-json-xml.conf | ||
|
|
||
| server { | ||
| #listen 80 default_server; | ||
| #listen [::]:80 default_server; | ||
|
|
||
| listen 80; | ||
| listen [::]:80; | ||
|
|
||
| listen 443 ssl; | ||
| listen [::]:443 ssl; | ||
|
|
||
| server_name *.openproductsfacts.org openproductsfacts.org; | ||
|
|
||
| # SSL configuration | ||
| # | ||
| # listen 443 ssl default_server; | ||
| # listen [::]:443 ssl default_server; | ||
| # | ||
| # Self signed certs generated by the ssl-cert package | ||
| # Don't use them in a production server! | ||
| # | ||
| # include snippets/snakeoil.conf; | ||
| #listen [::]:443 ssl default_server; | ||
| #listen [::]:443 ssl; | ||
| include snippets/ssl.openproductsfacts.org; | ||
| include snippets/ssl-params.conf; | ||
|
|
||
| # Product Opener needs a root domain + a wildcard for all subdomains | ||
| server_name openproductsfacts.org *.openproductsfacts.org; | ||
|
|
||
| root /srv/opf/html; | ||
|
|
||
| access_log /srv/opf/logs/nginx.access2.log; | ||
| error_log /srv/opf/logs/nginx.error2.log; | ||
| # enable large uploads | ||
| client_max_body_size 20M; | ||
| client_body_timeout 120s; | ||
| client_header_timeout 120s; | ||
|
|
||
| # Redirect GET requests to https. POST requests will be transformed | ||
| # to GET by most browsers when redirected, and it breaks apps that | ||
| # use the API through http. | ||
|
|
||
| if ($scheme = http) { | ||
| set $test "A"; | ||
| } | ||
| if ($request_uri !~ "/api/") { | ||
| set $test "${test}B"; | ||
| } | ||
| if ($request_method = GET) { | ||
| set $test "${test}C"; | ||
| } | ||
| if ($test = ABC) { | ||
| return 301 https://$host$request_uri; | ||
| } | ||
|
|
||
| location /data/ { | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/ssl-headers.conf; | ||
| # First attempt to serve request as file, then | ||
| # as directory, then fall back to displaying a 404. | ||
| try_files $uri $uri/ =404; | ||
| } | ||
| # logs location: default is static-off, will be changed to proxy-opf | ||
| # for requests passed to Apache | ||
| access_log /var/log/nginx/static-opf-access.log proxied_requests buffer=256K flush=1s; | ||
| error_log /var/log/nginx/static-opf-error.log; | ||
|
|
||
| # some redirection for specific subdomains | ||
| include snippets/opf.domain-redirects.include; | ||
|
|
||
| gzip on; | ||
| gzip_min_length 1000; | ||
| gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript text/csv; | ||
|
|
||
|
|
||
| # Add index.php to the list if you are using PHP | ||
| index index.html index.htm index.nginx-debian.html; | ||
|
|
||
| location ~* \.(eot|ttf|woff|woff2)$ { | ||
| include snippets/off.cors-headers.include; | ||
| } | ||
|
|
||
| location ~ ^/images/products/ { | ||
| add_header Link "<http://creativecommons.org/licenses/by-sa/3.0/>; rel='license'; title='CC-BY-SA 3.0'"; | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/expiry-headers.include; | ||
| add_header Link "<http://creativecommons.org/licenses/by-sa/3.0/>; rel='license'; title='CC-BY-SA 3.0'"; | ||
| # optimize gzip compressed content (like OCR .json stored next to .jpg files) | ||
| gzip_static always; | ||
| gunzip on; | ||
| } | ||
|
|
||
| if ($http_referer ~* (jobothoniel.com) ) { return 403; } # blocked since 2021-07-13 | ||
|
|
||
| # the app requests /1.json to get the product count... | ||
| # the commented code below is to serve a static copy | ||
| # if there is a spike of installs | ||
| location ~ ^/1.json$ { | ||
| root /srv/opf/html/static; | ||
| try_files /1.json = 404; | ||
| } | ||
|
|
||
| # Static files are served directly by NGINX | ||
|
|
||
| location ~ ^/(favicon.ico) { | ||
| # First attempt to serve request as file, then | ||
| # as directory, then fall back to displaying a 404. | ||
| try_files $uri $uri/ =404; | ||
| } | ||
|
|
||
| location ~ ^/(.well-known|images|fonts|css|js|rss|files|resources|foundation|bower_components)/ { | ||
| # Static files are served directly by NGINX | ||
| location ~ ^/(.well-known|files|data|exports|dump)/ { | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/expiry-headers.include; | ||
| # First attempt to serve request as file, then | ||
| # as directory, then fall back to displaying a 404. | ||
| try_files $uri $uri/ =404; | ||
| # First attempt to serve request from resource, then as file, | ||
| # then as directory, then fall back to displaying a 404. | ||
| try_files resources/$uri $uri $uri/ =404; | ||
| gzip_static always; | ||
| gunzip on; | ||
| } | ||
| location ~ ^/(images|fonts|css|js|donate|resources)/ { | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/expiry-headers.include; | ||
| # First attempt to serve request as file, off_web_html acting as an override, | ||
| # then as directory, then fall back to displaying a 404. | ||
| try_files /off_web_html$uri $uri $uri/ =404; | ||
| gzip_static always; | ||
| gunzip on; | ||
| } | ||
|
|
||
| # Redirect to the change password form | ||
| location = /.well-known/change-password { | ||
| return 307 https://$host/cgi/change_password.pl; | ||
| } | ||
|
|
||
| # GoogleAssociationService made 2500 requests/min to assetlinks.json | ||
| # and much less when caching headers are sent | ||
| location = /.well-known/assetlinks.json { | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/off.cors-headers.include; | ||
| include snippets/expiry-headers.include; | ||
| expires 1d; | ||
| try_files $uri $uri/ =404; | ||
| } | ||
| try_files $uri =404; | ||
| } | ||
|
|
||
| include snippets/opf.locations-redirects.include; | ||
|
|
||
| # Dynamically generated files and CGI scripts are passed | ||
| # to the Apache + mod_perl server running on a different | ||
| # port than port 80 (e.g. 8001) | ||
|
|
||
| location / { | ||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| # recursive hosts as we are proxying behind a proxy | ||
| set_real_ip_from 10.0.0.0/8; | ||
| real_ip_recursive on; | ||
| access_log /var/log/nginx/proxy-opf-access.log proxied_requests buffer=256K flush=1s; | ||
| error_log /var/log/nginx/proxy-opf-error.log; | ||
|
|
||
| proxy_pass http://127.0.0.1:8005/cgi/display.pl?; | ||
| proxy_pass http://127.0.0.1:8003/cgi/display.pl?; | ||
| } | ||
|
|
||
| location /cgi/ { | ||
| proxy_set_header Host $host; | ||
| proxy_set_header X-Real-IP $remote_addr; | ||
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
| proxy_pass http://127.0.0.1:8005; | ||
| } | ||
| # recursive hosts as we are proxying behind a proxy | ||
| set_real_ip_from 10.0.0.0/8; | ||
| real_ip_recursive on; | ||
| access_log /var/log/nginx/proxy-opf-access.log proxied_requests buffer=256K flush=1s; | ||
| error_log /var/log/nginx/proxy-opf-error.log; | ||
|
|
||
| # deny access to .htaccess files, if Apache's document root | ||
| # concurs with nginx's one | ||
| # | ||
| #location ~ /\.ht { | ||
| # deny all; | ||
| #} | ||
| proxy_pass http://127.0.0.1:8003; | ||
| } | ||
| } | ||
|
|
Oops, something went wrong.