connormclaud/nginx.conf Secret

## nginx.conf
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 409600;

events {
    worker_connections 4096;
    multi_accept on;
}

http {
    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    client_max_body_size 16M;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    #    # logging
    #    access_log /var/log/nginx/access.log;
    #    error_log /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
    ssl_prefer_server_ciphers on;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.11 valid=60s;
    resolver_timeout 2s;

    # load configs
    include /etc/nginx/conf.d/*.conf;

    # python.staging
    server {
        listen 5443 ssl http2;

        # SSL
        ssl_certificate /etc/nginx/ssl/python.staging.crt;
        ssl_certificate_key /etc/nginx/ssl/python.staging.key;
        ssl_verify_client      off;

        # security headers
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


        location /client_data {
            resolver 127.0.0.11 valid=60s;
            resolver_timeout 5s;
           set $upstream_client_data web:5000;
            proxy_pass http://$upstream_client_data/client_data;
        }

        # gzip
        gzip on;
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_types application/json;
    }
}
	pid /run/nginx.pid;
	worker_processes auto;
	worker_rlimit_nofile 409600;

	events {
	worker_connections 4096;
	multi_accept on;
	}

	http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# # logging
	# access_log /var/log/nginx/access.log;
	# error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# modern configuration
	ssl_protocols TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 127.0.0.11 valid=60s;
	resolver_timeout 2s;

	# load configs
	include /etc/nginx/conf.d/*.conf;

	# python.staging
	server {
	listen 5443 ssl http2;

	# SSL
	ssl_certificate /etc/nginx/ssl/python.staging.crt;
	ssl_certificate_key /etc/nginx/ssl/python.staging.key;
	ssl_verify_client off;

	# security headers
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


	location /client_data {
	resolver 127.0.0.11 valid=60s;
	resolver_timeout 5s;
	set $upstream_client_data web:5000;
	proxy_pass http://$upstream_client_data/client_data;
	}

	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types application/json;
	}
	}