server_names_hash_bucket_size 128; # Map upstream server addresses to labels map $upstream_addr $upstream_label { default "web.unknown"; 123 "web.1"; } upstream ssl-handler-app { server 101112; } upstream django-app { server 123; } upstream prometheus { server 456; } upstream logs { server 789; } # Use fluentd log format log_format fluentd_json '{"remote_addr":"$remote_addr", "remote_user":"$remote_user", "time_local":"$time_local", "request":"$request", "status":$status, "body_bytes_sent":"$body_bytes_sent", "http_referer":"$http_referer", "http_user_agent":"$http_user_agent", "http_x_forwarded_for":"$http_x_forwarded_for", "request_time":"$request_time", "response_time":"$upstream_response_time", "upstream_label":"$upstream_label"}'; server { listen 80; server_name _; # This will catch all domains pointed to your server location /.well-known/acme-challenge/ { proxy_pass http://ssl-handler-app/.well-known/acme-challenge/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { return 301 https://$host$request_uri; # Redirect all other traffic to HTTPS } } server { listen 443 ssl; server_name _; # Catch-all for any domain ssl_certificate /etc/ssl/certs/fullchain.pem; # Placeholder SSL certificate ssl_certificate_key /etc/ssl/certs/privkey.pem; location / { return 444; # Drop connection until the real certificate is issued } } # Server block for Prometheus server { listen 443 ssl; server_name 456; ssl_certificate /etc/ssl/promcerts/fullchain.pem; ssl_certificate_key /etc/ssl/promcerts/privkey.pem; location / { proxy_pass http://prometheus; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Basic auth auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; } } # Server block for logs server { listen 443 ssl; server_name 789; ssl_certificate /etc/ssl/promcerts/fullchain.pem; ssl_certificate_key /etc/ssl/promcerts/privkey.pem; location / { proxy_pass http://logs; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Basic auth auth_basic "Restricted Area"; auth_basic_user_file /etc/nginx/.htpasswd; } } # Server block for Django app server { listen 443 ssl; server_name 123; add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS, PUT' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range, Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Max-Age' 1728000 always; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/certs/fullchain.pem; ssl_certificate_key /etc/ssl/certs/privkey.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; client_max_body_size 4G; location / { proxy_pass http://django-app; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_http_version 1.1; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; keepalive_timeout 600; proxy_set_header X-Backend-Server $upstream_addr; # Add this line } server_tokens off; } #################################################################################################################################### # NOTE: Temp solution for custom domain feature # For CNAMEd referenced hostname server { listen 443 ssl; server_name custom-cname-123; add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS, PUT' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range, Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Max-Age' 1728000 always; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/certs/fullchain.pem; ssl_certificate_key /etc/ssl/certs/privkey.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; client_max_body_size 4G; location / { proxy_pass http://django-app; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_http_version 1.1; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; keepalive_timeout 600; proxy_set_header X-Backend-Server $upstream_addr; # Add this line } server_tokens off; } # For User's custom domain hostname server { listen 443 ssl; server_name custom-123; add_header 'Access-Control-Allow-Methods' 'POST, GET, OPTIONS, PUT' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range, Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Max-Age' 1728000 always; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; ssl_certificate /etc/ssl/certs/fullchain.pem; ssl_certificate_key /etc/ssl/certs/privkey.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; client_max_body_size 4G; location / { proxy_pass http://django-app; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_http_version 1.1; proxy_connect_timeout 600; proxy_send_timeout 600; proxy_read_timeout 600; send_timeout 600; keepalive_timeout 600; proxy_set_header X-Backend-Server $upstream_addr; # Add this line } server_tokens off; } ####################################################################################################################################