Skip to content

Instantly share code, notes, and snippets.

@dillonhafer
Created May 2, 2019 15:05
Show Gist options
  • Save dillonhafer/7f09d5c65100a6ec347557a196f8c14c to your computer and use it in GitHub Desktop.
Save dillonhafer/7f09d5c65100a6ec347557a196f8c14c to your computer and use it in GitHub Desktop.
# APEX & NON-TLS
server {
listen 80;
listen [::]:80;
server_name example.com www.example.com;
return 301 https://www.example.com$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name api.example.com;
return 301 https://api.example.com$request_uri;
}
server {
ssl on;
listen 443;
listen [::]:443;
server_name example.com;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;
return 301 https://www.budgetal.com$request_uri;
}
# Frontend Website Config
server {
listen 443 default_server;
listen [::]:443;
ssl on;
server_name www.example.com;
root /home/deploy/example-production/build;
# HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Secure Headers
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Permitted-Cross-Domain-Policies none;
# TLS
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;
location / {
gzip_static on;
try_files $uri /index.html;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";
gzip_comp_level 6;
gzip_types application/javascript application/json text/javascript application/x-javascript text/css image/x-icon image/png image/jpeg image/gif;
}
client_max_body_size 4G;
keepalive_timeout 10;
}
# Backend Config
server {
listen 443;
listen [::]:443 ssl http2;
ssl on;
server_name api.example.com;
root /home/deploy/example-production/build;
# HSTS
add_header Strict-Transport-Security "max-age=31536000" always;
# Secure Headers
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header X-Permitted-Cross-Domain-Policies none;
# TLS
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;
if (-f $document_root/maintenance_mode_enabled) {
return 503;
}
error_page 503 = @maintenance;
location @maintenance {
more_set_headers "Content-Type: application/json";
if ($request_method = OPTIONS) {
return 204;
}
return 503 "{}";
}
client_max_body_size 4G;
keepalive_timeout 10;
location / {
# CORS Headers
more_set_headers "Access-Control-Allow-Origin: https://www.example.com";
more_set_headers "Access-Control-Allow-Credentials: true";
more_set_headers "Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PATCH, PUT";
more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,X-Budgetal-Session,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";
if ($request_method = OPTIONS) {
return 204;
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:3000/;
proxy_redirect http://localhost:3000/ http://$server_name/;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment