digest.conf

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=two:10m inactive=24h max_size=1g;

server {
    listen 80;
    server_name digest.exlmoto.ru;
    return 301 https://digest.exlmoto.ru$request_uri;
}

server {
    listen 443 ssl http2;
    server_name digest.exlmoto.ru;

    proxy_cache two;

    location / {
        proxy_pass http://localhost:8080/;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }

    # Drop brute-force attack on login form.
    # Test:
    #  $ ab -n 100 -c 10 digest.exlmoto.ru/ds-auth-login
    location /ds-auth-login {
        limit_req   zone=one  burst=1 nodelay;
        proxy_pass http://localhost:8080/ds-auth-login;
        proxy_redirect http://localhost:8080/obey /obey;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
    }

    # Reverse proxy.
    # To avoid Roskomnadzor blocks.
    # See additional information: http://www.nginx-discovery.com/2011/05/day-51-proxypass-and-resolver.html
    location ^~ /proxy {
        resolver 8.8.8.8;
        location ~ "^/proxy/(.*)/(.*)" {
            proxy_pass https://$1/$2;
        }
    }

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_http_version 1.1;
    gzip_min_length 2048;
    gzip_types text/plain text/css application/json application/x-javascript text/javascript;

    ssl_certificate /etc/letsencrypt/live/digest.exlmoto.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/digest.exlmoto.ru/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
}