andreasnuesslein/proxy.nginx

## proxy.nginx
user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 65535;

events { worker_connections 65535; }

http {
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;
  server_tokens off;
  # server_names_hash_bucket_size 128; # this seems to be required for some vhosts
  # server_name_in_redirect off;

  # No logging.
  access_log off;
  error_log  off;

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;

  # allow BIG uploads
  client_max_body_size 10G;
  proxy_read_timeout 7200;
  proxy_send_timeout 7200;
  send_timeout 7200;
  fastcgi_read_timeout 7200;


  include /etc/nginx/mime.types;
  include /etc/nginx/fastcgi_params;
  default_type application/octet-stream;

  # cipherlist.eu recommendations 2020.04.30
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/nginx/dhparam.pem;
  # ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
  ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve secp384r1:prime256v1; # prime256v1 for older Androids
  ssl_session_timeout  10m;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 9.9.9.9 9.9.9.10 valid=300s;
  resolver_timeout 5s;
  #
    # add_header X-Frame-Options DENY;
  # add_header X-Content-Type-Options nosniff;
  # add_header X-XSS-Protection "1; mode=block";

  server {
    server_name localhost;
    listen 9000;
    listen [::]:9000;

    large_client_header_buffers 4 32k;

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass_header Authorization;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";

    proxy_redirect off;


#   location ~ ^/(admin|api|static)/ {
#     proxy_pass http://127.0.0.1:8000$request_uri;
#   }
    location /api {
      proxy_pass      http://localhost:8000/api;
    }

    location / {
      proxy_pass http://localhost:3000;
    }
  }
}
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	worker_rlimit_nofile 65535;

	events { worker_connections 65535; }

	http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;
	# server_names_hash_bucket_size 128; # this seems to be required for some vhosts
	# server_name_in_redirect off;

	# No logging.
	access_log off;
	error_log off;

	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font application/x-font-opentype application/x-font-otf application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/opentype font/otf font/ttf image/svg+xml image/x-icon text/css text/javascript text/plain text/xml;

	# allow BIG uploads
	client_max_body_size 10G;
	proxy_read_timeout 7200;
	proxy_send_timeout 7200;
	send_timeout 7200;
	fastcgi_read_timeout 7200;


	include /etc/nginx/mime.types;
	include /etc/nginx/fastcgi_params;
	default_type application/octet-stream;

	# cipherlist.eu recommendations 2020.04.30
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/dhparam.pem;
	# ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
	ssl_ecdh_curve secp384r1:prime256v1; # prime256v1 for older Androids
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 9.9.9.9 9.9.9.10 valid=300s;
	resolver_timeout 5s;
	#
	# add_header X-Frame-Options DENY;
	# add_header X-Content-Type-Options nosniff;
	# add_header X-XSS-Protection "1; mode=block";

	server {
	server_name localhost;
	listen 9000;
	listen [::]:9000;

	large_client_header_buffers 4 32k;

	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_pass_header Authorization;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "Upgrade";

	proxy_redirect off;


	# location ~ ^/(admin\|api\|static)/ {
	# proxy_pass http://127.0.0.1:8000$request_uri;
	# }
	location /api {
	proxy_pass http://localhost:8000/api;
	}

	location / {
	proxy_pass http://localhost:3000;
	}
	}
	}