Skip to content

Instantly share code, notes, and snippets.

@connormclaud
Created May 25, 2018 09:25
Show Gist options
  • Save connormclaud/bc3d65dcb307507c0d8786a168c66b51 to your computer and use it in GitHub Desktop.
Save connormclaud/bc3d65dcb307507c0d8786a168c66b51 to your computer and use it in GitHub Desktop.
pid /run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 409600;
events {
worker_connections 4096;
multi_accept on;
}
http {
charset utf-8;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_tokens off;
log_not_found off;
types_hash_max_size 2048;
client_max_body_size 16M;
# MIME
include mime.types;
default_type application/octet-stream;
# # logging
# access_log /var/log/nginx/access.log;
# error_log /var/log/nginx/error.log warn;
# SSL
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# modern configuration
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.11 valid=60s;
resolver_timeout 2s;
# load configs
include /etc/nginx/conf.d/*.conf;
# python.staging
server {
listen 5443 ssl http2;
# SSL
ssl_certificate /etc/nginx/ssl/python.staging.crt;
ssl_certificate_key /etc/nginx/ssl/python.staging.key;
ssl_verify_client off;
# security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location /client_data {
resolver 127.0.0.11 valid=60s;
resolver_timeout 5s;
set $upstream_client_data web:5000;
proxy_pass http://$upstream_client_data/client_data;
}
# gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types application/json;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment