Skip to content

Instantly share code, notes, and snippets.

@Frondor

Frondor/a.conf

Created May 16, 2018 05:44
Show Gist options
  • Save Frondor/3aa6b87efb8f22a1257e626727b0fcbc to your computer and use it in GitHub Desktop.
Save Frondor/3aa6b87efb8f22a1257e626727b0fcbc to your computer and use it in GitHub Desktop.
Download ZIP
nginx.conf file, included from another http context
Raw
a.conf
# Based on:
# https://www.netguru.co/codestories/nginx-tutorial-performance
# https://www.netguru.co/codestories/nginx-tutorial-ssl-setup
# https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching
gzip on; # enable gzip
gzip_http_version 1.1; # turn on gzip for http 1.1 and higher
gzip_disable "msie6"; # IE 6 had issues with gzip
gzip_comp_level 5; # inc compresion level, and CPU usage
gzip_min_length 256; # minimal weight to gzip file (files below this in bytes are not compressed)
gzip_proxied any; # enable gzip for proxied requests (e.g. CDN)
gzip_buffers 16 8k; # compression buffers (if we exceed this value, disk will be used instead of RAM)
gzip_vary on; # add header Vary Accept-Encoding
# define files which should be compressed
gzip_types text/plain;
gzip_types text/css;
gzip_types application/javascript;
gzip_types application/json;
gzip_types application/manifest+json;
gzip_types image/svg+xml;
gzip_types image/x-icon;
tcp_nodelay on; # sets TCP_NODELAY flag, used on keepalive connections
ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
# security
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5;
ssl_prefer_server_ciphers on;
# performance
ssl_session_cache shared:SSL:5m; # One megabyte of the cache contains about 4000 sessions
ssl_session_timeout 10m;
server_tokens off;
#=============#
# RESTFUL API #
#=============#
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name api.dev.local;
# # general configs
# keepalive_timeout 20;
# listen 127.0.0.1:443 ssl;
# server_name api.example.com;
# # ssl configs
# ssl_certificate /path/to/api.crt;
# ssl_certificate_key /path/to/api.key;
# ssl_session_cache shared:SSL:10m;
# ssl_session_timeout 10m;
# # logs paths
# access_log false;
# error_log /path/to/error.log crit;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
location / {
proxy_pass http://restful_api:3000;
proxy_http_version 1.1;
# handle OPTIONS requests
# @note: don't try to DRY out this "if" block, or you're gonna have a bad time.
# @see: http://wiki.nginx.org/IfIsEvil
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,Keep-Alive,X-Requested-With,If-Modified-Since';
add_header 'Access-Control-Allow-Methods' 'GET, DELETE, OPTIONS, POST, PUT';
add_header 'Access-Control-Allow-Origin' 'https://app.dev.local';
add_header 'Access-Control-Max-Age' 2592000;
add_header 'Content-Length' 0;
# add_header 'Content-Type' 'text/plain charset=UTF-8';
return 204;
}
# proxy to the nodejs application
# client_max_body_size 64G;
# send the CORS headers
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Origin' 'https://app.dev.local';
# set additional security headers
add_header 'Cache-Control' 'no-cache, no-store, must-revalidate';
# add_header 'Content-Security-Policy' 'connect-src example.com';
# add_header 'Expires' '0';
# add_header 'Pragma' 'no-cache';
# add_header 'Strict-Transport-Security' 'max-age=31536000; includeSubDomains';
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-Frame-Options' 'DENY';
add_header 'X-XSS-Protection' '1; mode=block';
}
}
#=================#
# SINGLE PAGE APP #
#=================#
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name app.dev.local;
root /var/www/app/;
tcp_nopush on;
location / {
index index.html =404;
}
# location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
# expires 1M;
# add_header Cache-Control public;
# add_header Pragma public;
# add_header Vary Accept-Encoding;
# }
location /api {
# can't set the proxy yet cuz i fail :(proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host something.appspot.com;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://res/;
proxy_ssl_session_reuse off;
proxy_redirect off;
}
# PWA related location, do I need this?
location /manifest.json {
default_type application/x-web-app-manifest+json;
}
}
# Not working
# # Rewrite all trafic on port 80 to 443
# server {
# listen 80;
# server_name api.dev.local;
# rewrite ^ https://$server_name:8000$request_uri? permanent;
# }
#=======================================#
# Scaling with upstream pool of servers #
#=======================================#
# upstream backend_hosts {
# least_conn; # balancing algorythm
# server host1.example.com;
# server host2.example.com;
# server host3.example.com;
# }
# server {
# listen 80;
# server_name example.com;
# location /proxy-me {
# proxy_pass http://backend_hosts;
# }
# }
server {
listen 80 ssl default_server;
listen [::]:80 ssl default_server;
server_name *.dev.local dev.local;
if ($http_x_forwarded_proto != "https") {
return 301 https://$host$request_uri;
}
return 301 https://$host$request_uri;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment