From 569a9df5a08cd68c1085b713c2913fdf4db381b0 Mon Sep 17 00:00:00 2001
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Tue, 13 Jul 2021 11:05:44 +0200
Subject: [PATCH] nginx: update nginx.conf, ditch nginx-site.conf

---
 nginx-site.conf | 52 -------------------------------------------------
 nginx.conf      | 33 ++++++++++++++++++++++---------
 2 files changed, 24 insertions(+), 61 deletions(-)
 delete mode 100644 nginx-site.conf

diff --git a/nginx-site.conf b/nginx-site.conf
deleted file mode 100644
index aee2377..0000000
--- a/nginx-site.conf
+++ /dev/null
@@ -1,52 +0,0 @@
-geo $allowlist {
-	default 0;
-	# CIDR in the list below are using a more lenient limiter
-	1.2.3.4/32 1;
-}
-
-map $allowlist $limit {
-	0     $binary_remote_addr;
-	1     "";
-}
-
-map $allowlist $limit_loose {
-	1     $binary_remote_addr;
-	0     "";
-}
-
-# allow 6 requests per min -> one each 10s on avg.
-limit_req_zone $limit zone=search_email:10m rate=1r/s;
-limit_req_zone $limit_loose zone=search_email_loose:10m rate=1r/m;
-limit_req_zone $limit zone=search_fpr_keyid:10m rate=5r/s;
-
-proxy_cache_path /tmp/nginx_cache use_temp_path=off keys_zone=static_cache:10m;
-proxy_cache_valid 200 5m;
-
-server {
-    listen [::]:443 ssl ipv6only=on; # managed by Certbot
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/edge.keys.openpgp.org/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/edge.keys.openpgp.org/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-    rewrite_log on;
-    error_log /home/hagrid/error.log notice;
-
-    root /home/hagrid/run/public;
-    server_name edge.keys.openpgp.org; # managed by Certbot
-
-    include hagrid-routes.conf;
-}
-
-server {
-    if ($host = edge.keys.openpgp.org) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-    listen 80 ;
-    listen [::]:80 ;
-    server_name edge.keys.openpgp.org;
-    return 404; # managed by Certbot
-}
diff --git a/nginx.conf b/nginx.conf
index 06bcd21..1b17f67 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,24 +1,39 @@
 error_log stderr;
-pid nginx/nginx.pid;
+pid nginx.pid;
 daemon off;
 
 http {
-  # allow 6 requests per min -> one each 10s on avg.
-  limit_req_zone $binary_remote_addr zone=mylimit:10m rate=6r/m;
+  geo $allowlist {
+    default 0;
+    # CIDR in the list below are using a more lenient limiter
+    1.2.3.4/32 1;
+  }
 
-  proxy_cache_path /tmp/nginx_cache use_temp_path=off keys_zone=static_cache:10m;
-  proxy_cache_valid 200 5m;
+  map $allowlist $limit {
+    0     $binary_remote_addr;
+    1     "";
+  }
+
+  map $allowlist $limit_loose {
+    1     $binary_remote_addr;
+    0     "";
+  }
+
+  # limit zones are used in hagrid-routes.conf
+  limit_req_zone $limit zone=search_email:10m rate=1r/s;
+  limit_req_zone $limit_loose zone=search_email_loose:10m rate=1r/m;
+  limit_req_zone $binary_remote_addr zone=search_fpr_keyid:10m rate=5r/s;
 
   server {
     listen 0.0.0.0:8090;
 
-    access_log nginx/access_log;
+    access_log stderr;
 
     # To debug the rewrite rules, enable these directives:
-    #error_log stderr notice;
-    #rewrite_log on;
+    # error_log stderr notice;
+    # rewrite_log on;
 
-    include /etc/nginx/mime.types;
+    # include /etc/nginx/mime.types;
     default_type application/octet-stream;
 
     root dist/public;