Frondor/nginx.conf Secret

## nginx.conf
# Based on:
# https://www.netguru.co/codestories/nginx-tutorial-performance
# https://www.netguru.co/codestories/nginx-tutorial-ssl-setup
# https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching

# DOESNT WORK ON THIS FILE because its included in the http context of default.conf
# worker_processes auto; # use all the CPUs

# Compression
  gzip on;               # enable gzip
  gzip_http_version 1.1; # turn on gzip for http 1.1 and higher
  gzip_disable "msie6";  # IE 6 had issues with gzip
  gzip_comp_level 4;     # inc compression level, and CPU usage
  gzip_min_length 120;   # minimal weight to gzip file (files below this in bytes are not compressed)
  gzip_proxied any;      # enable gzip for proxied requests (e.g. CDN)
  gzip_buffers 16 8k;    # compression buffers (if we exceed this value, disk will be used instead of RAM)
  gzip_vary on;          # add header Vary Accept-Encoding

# define files which should be compressed
  gzip_types text/plain;
  gzip_types text/css;
  gzip_types application/javascript;
  gzip_types application/json;
  gzip_types application/manifest+json;
  gzip_types image/svg+xml;
  gzip_types image/x-icon;

# SSL
  ssl on;
  ssl_certificate     /etc/ssl/certs/cert.pem;
  ssl_certificate_key /etc/ssl/certs/key.pem;
  # security
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5;
  ssl_prefer_server_ciphers on;
  # performance
  ssl_session_cache   shared:SSL:5m; # One megabyte of the cache contains about 4000 sessions
  ssl_session_timeout 10m;

  server_tokens off;

#=============#
# RESTFUL API #
#=============#
server {
    listen 80 ssl;
    listen 443 ssl;
    listen [::]:80 ssl;
    listen [::]:443 ssl;
    server_name  api.dev.local;

    if ($http_x_forwarded_proto = "http") {
      return 301 https://$server_name$request_uri;
    }

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;

    location / {
      proxy_pass                http://restful_api:3000;

      # proxy to the nodejs application
      # client_max_body_size 64G;

      # send the CORS headers
      add_header 'Access-Control-Allow-Credentials' 'true';
      add_header 'Access-Control-Allow-Origin'      'https://app.dev.local';

      # set additional security headers
      add_header 'Cache-Control'                    'no-cache, no-store, must-revalidate';
      # add_header 'Content-Security-Policy'          'connect-src example.com';
      # add_header 'Expires'                          '0';
      # add_header 'Pragma'                           'no-cache';
      # add_header 'Strict-Transport-Security'        'max-age=31536000; includeSubDomains';
      add_header 'X-Content-Type-Options'           'nosniff';
      add_header 'X-Frame-Options'                  'DENY';
      add_header 'X-XSS-Protection'                 '1; mode=block';
    }
}

#=================#
# SINGLE PAGE APP #
#=================#
server {
    listen 80 ssl;
    listen 443 ssl;
    listen [::]:80 ssl;
    listen [::]:443 ssl;

    server_name  app.dev.local;

    root  /var/www/app/;
    index index.html;

    if ($http_x_forwarded_proto = "http") {
      return 301 https://$server_name$request_uri;
    }

    tcp_nopush on;

    location / {
      try_files $uri $uri/ =404;
    }

    location /api {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;

      rewrite ^/api/?(.*) /$1 break;

      proxy_pass  http://restful_api:3000;
      proxy_http_version  1.1;
      proxy_redirect  off;
    }

    # PWA related location, do I need this?
    location /manifest.json {
        default_type application/x-web-app-manifest+json;
    }
  }
	# Based on:
	# https://www.netguru.co/codestories/nginx-tutorial-performance
	# https://www.netguru.co/codestories/nginx-tutorial-ssl-setup
	# https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching

	# DOESNT WORK ON THIS FILE because its included in the http context of default.conf
	# worker_processes auto; # use all the CPUs

	# Compression
	gzip on; # enable gzip
	gzip_http_version 1.1; # turn on gzip for http 1.1 and higher
	gzip_disable "msie6"; # IE 6 had issues with gzip
	gzip_comp_level 4; # inc compression level, and CPU usage
	gzip_min_length 120; # minimal weight to gzip file (files below this in bytes are not compressed)
	gzip_proxied any; # enable gzip for proxied requests (e.g. CDN)
	gzip_buffers 16 8k; # compression buffers (if we exceed this value, disk will be used instead of RAM)
	gzip_vary on; # add header Vary Accept-Encoding

	# define files which should be compressed
	gzip_types text/plain;
	gzip_types text/css;
	gzip_types application/javascript;
	gzip_types application/json;
	gzip_types application/manifest+json;
	gzip_types image/svg+xml;
	gzip_types image/x-icon;

	# SSL
	ssl on;
	ssl_certificate /etc/ssl/certs/cert.pem;
	ssl_certificate_key /etc/ssl/certs/key.pem;
	# security
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:!MD5;
	ssl_prefer_server_ciphers on;
	# performance
	ssl_session_cache shared:SSL:5m; # One megabyte of the cache contains about 4000 sessions
	ssl_session_timeout 10m;

	server_tokens off;

	#=============#
	# RESTFUL API #
	#=============#
	server {
	listen 80 ssl;
	listen 443 ssl;
	listen [::]:80 ssl;
	listen [::]:443 ssl;
	server_name api.dev.local;

	if ($http_x_forwarded_proto = "http") {
	return 301 https://$server_name$request_uri;
	}

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;

	location / {
	proxy_pass http://restful_api:3000;

	# proxy to the nodejs application
	# client_max_body_size 64G;

	# send the CORS headers
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Origin' 'https://app.dev.local';

	# set additional security headers
	add_header 'Cache-Control' 'no-cache, no-store, must-revalidate';
	# add_header 'Content-Security-Policy' 'connect-src example.com';
	# add_header 'Expires' '0';
	# add_header 'Pragma' 'no-cache';
	# add_header 'Strict-Transport-Security' 'max-age=31536000; includeSubDomains';
	add_header 'X-Content-Type-Options' 'nosniff';
	add_header 'X-Frame-Options' 'DENY';
	add_header 'X-XSS-Protection' '1; mode=block';
	}
	}

	#=================#
	# SINGLE PAGE APP #
	#=================#
	server {
	listen 80 ssl;
	listen 443 ssl;
	listen [::]:80 ssl;
	listen [::]:443 ssl;

	server_name app.dev.local;

	root /var/www/app/;
	index index.html;

	if ($http_x_forwarded_proto = "http") {
	return 301 https://$server_name$request_uri;
	}

	tcp_nopush on;

	location / {
	try_files $uri $uri/ =404;
	}

	location /api {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;

	rewrite ^/api/?(.*) /$1 break;

	proxy_pass http://restful_api:3000;
	proxy_http_version 1.1;
	proxy_redirect off;
	}

	# PWA related location, do I need this?
	location /manifest.json {
	default_type application/x-web-app-manifest+json;
	}
	}