105 lines
3.4 KiB
Plaintext
105 lines
3.4 KiB
Plaintext
upstream service_endpoint {
|
|
# TODO Change next line. Set the endpoint.
|
|
server 127.0.0.1:3000;
|
|
# server 127.0.0.1:3000 weight=10 max_fails=2 fail_timeout=5s;
|
|
# server 127.0.0.1:3000 down;
|
|
# server 127.0.0.1:3000 backup;
|
|
}
|
|
|
|
server {
|
|
listen 8002;
|
|
# TODO Change next line. Set the domain.
|
|
server_name www.example.com;
|
|
|
|
# security headers
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
|
|
add_header Permissions-Policy "interest-cohort=()" always;
|
|
|
|
# . files
|
|
location ~ /\.(?!well-known) {
|
|
deny all;
|
|
}
|
|
|
|
# logging
|
|
access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
# reverse proxy
|
|
location / {
|
|
proxy_pass http://service_endpoint;
|
|
proxy_http_version 1.1;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Proxy headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Forwarded $proxy_add_forwarded;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# Proxy SSL
|
|
proxy_ssl_server_name on;
|
|
|
|
# Proxy timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# additional config
|
|
# favicon.ico
|
|
location = /favicon.ico {
|
|
log_not_found off;
|
|
}
|
|
|
|
# robots.txt
|
|
location = /robots.txt {
|
|
log_not_found off;
|
|
}
|
|
|
|
# gzip
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
|
|
|
|
location ~* ^.*\.(css|js|jpe?g|gif|png|webp|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
|
|
if_modified_since off;
|
|
|
|
# use the public cache
|
|
proxy_cache public-cache;
|
|
proxy_cache_key $host$request_uri;
|
|
|
|
# ignore these headers for media
|
|
proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires;
|
|
|
|
# cache 200s and also 404s (not ideal but there are a few 404 images for some reason)
|
|
proxy_cache_valid any 30m;
|
|
proxy_cache_valid 404 1m;
|
|
|
|
# strip this header to avoid If-Modified-Since requests
|
|
proxy_hide_header Last-Modified;
|
|
proxy_hide_header Cache-Control;
|
|
proxy_hide_header Vary;
|
|
|
|
proxy_cache_bypass 0;
|
|
proxy_no_cache 0;
|
|
|
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404;
|
|
proxy_connect_timeout 5s;
|
|
proxy_read_timeout 45s;
|
|
|
|
expires 7d; # @30m;
|
|
access_log off;
|
|
|
|
include conf.d/include/proxy.conf;
|
|
}
|
|
} |