My servers are setup using Digital Ocean using These Instructions.
Then, for the API setup for Nginx, I use this setup for nginx.
My servers are setup using Digital Ocean using These Instructions.
Then, for the API setup for Nginx, I use this setup for nginx.
# /usr/conf/snippets/basic.conf | |
#Specify a charset | |
charset utf-8; | |
# Setup Content Encoding | |
gzip on; | |
gzip_min_length 1100; | |
gzip_buffers 4 32k; | |
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
gzip_vary on; | |
# Force the latest IE version | |
add_header "X-UA-Compatible" "IE=Edge"; | |
# Expire rules for static content | |
# cache.appcache, your document html and data | |
location ~* \.(?:manifest|appcache|html?|xml|json)$ { | |
expires -1; | |
} | |
# Feed | |
location ~* \.(?:rss|atom)$ { | |
expires 1h; | |
} | |
# Media: images, icons, video, audio, HTC | |
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | |
expires 1M; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
# CSS and Javascript | |
location ~* \.(?:css|js)$ { | |
expires 1y; | |
access_log off; | |
} | |
# Cross domain webfont access | |
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { | |
add_header "Access-Control-Allow-Origin" "*"; | |
expires 1M; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
# Prevent clients from accessing hidden files ( except .well-known ) | |
location ~* /\.(?!well-known\/) { | |
deny all; | |
} | |
# Prevent clients from accessing to backup/config/source files | |
location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ { | |
deny all; | |
} | |
location ~ \.(?:css|htc|js|js2|js3|js4)$ { | |
gzip_vary on; | |
} | |
location ~ /\.ht { | |
deny all; | |
} |
#/etc/nginx/sites-available/api.mydomain.com | |
# http://api.mydomain.com | |
server { | |
listen [::]:80 ipv6only=on; | |
listen 80; | |
server_name api.mydomain.com; | |
return 301 https://$server_name$request_uri; | |
} | |
# https://api.mydomain.com | |
server { | |
listen [::]:443 ssl http2 ipv6only=on; | |
listen 443 ssl http2; | |
include snippets/ssl-api.mydomain.com.conf; | |
include snippets/ssl-params.conf; | |
include snippets/basic.conf; | |
root /var/www/api.mydomain.com/html; | |
index index.html; | |
error_page 404 =200 @api_proxy; | |
server_name api.mydomain.com; | |
location ~ /.well-known { | |
allow all; | |
root /var/www/api.mydomain.com/html/; | |
} | |
location / { | |
root /var/www/api.mydomain.com/html/app/static/; | |
try_files $uri $uri/ @api_proxy; | |
} | |
location @api_proxy { | |
proxy_pass http://127.0.0.1:5000; | |
access_log off; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
proxy_set_header Host $host; | |
proxy_hide_header X-Frame-Options; | |
} | |
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico) { | |
root /var/www/api.mydomain.com/html/app/static/; | |
access_log off; | |
expires max; | |
} | |
location ^~ /assets { | |
root /var/www/api.mydomain.com/html/app/static/; | |
} | |
location ^~ /docs { | |
auth_basic "API Developer Access"; | |
auth_basic_user_file /etc/nginx/.htpasswd; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
root /var/www/api.mydomain.com/html/app/static/; | |
} | |
location ~ ^/(docs.*) { | |
add_header X-Frame-Options "SAMEORIGIN"; | |
root /var/www/api.mydomain.com/html/app/static/; | |
} | |
location ^~ /guide { | |
add_header X-Frame-Options "SAMEORIGIN"; | |
root /var/www/api.mydomain.com/html/app/static/; | |
} | |
location ~ ^/(guide.*) { | |
add_header X-Frame-Options "SAMEORIGIN"; | |
root /var/www/api.mydomain.com/html/app/static/; | |
} | |
# Media: images, icons, video, audio, HTC | |
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { | |
expires 1M; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
# CSS and Javascript | |
location ~* \.(?:css|js)$ { | |
expires 1y; | |
access_log off; | |
add_header Cache-Control "public"; | |
} | |
} |
# /usr/conf/snippets/ssl-api.mydomain.com.conf | |
ssl_certificate /etc/letsencrypt/live/api.mydomain.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/api.mydomain.com/privkey.pem; |
# /usr/conf/snippets/ssl-params.conf | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 1h; | |
ssl_session_tickets off; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
ssl_dhparam /etc/ssl/certs/dhparam.pem; |