Last active
November 21, 2021 08:53
-
-
Save ericandrewlewis/b64f86423dcdd7789914e55606a33494 to your computer and use it in GitHub Desktop.
NGINX application router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Borrowed some configuration from | |
# https://github.com/h5bp/server-configs-nginx/blob/master/nginx.conf | |
# Default: nobody nobody | |
user nginx; | |
# Sets the worker threads to the number of CPU cores available in the system for best performance. | |
# Should be > the number of CPU cores. | |
# Maximum number of connections = worker_processes * worker_connections | |
# Default: 1 | |
worker_processes auto; | |
# Log errors and warnings to standard output | |
# This is only used when you don't override it on a server{} level | |
# Default: logs/error.log error | |
error_log /dev/stdout info; | |
# The file storing the process ID of the main process | |
# Default: nginx.pid | |
pid /var/run/nginx.pid; | |
events { | |
# If you need more connections than this, you start optimizing your OS. | |
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. | |
# Should be < worker_rlimit_nofile. | |
# Default: 512 | |
worker_connections 8000; | |
} | |
http { | |
# Hide nginx version information. | |
# Default: on | |
server_tokens off; | |
# Specify MIME types for files. | |
include /etc/nginx/mime.types; | |
# Default: text/plain | |
default_type application/octet-stream; | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
# Log access. | |
# This is only used when you don't override it on a server{} level | |
# Default: logs/access.log combined | |
access_log /var/log/nginx/access.log main; | |
error_log /var/log/nginx/error.log warn; | |
# Speed up file transfers by using sendfile() to copy directly | |
# between descriptors rather than using read()/write(). | |
# For performance reasons, on FreeBSD systems w/ ZFS | |
# this option should be disabled as ZFS's ARC caches | |
# frequently used files in RAM by default. | |
# Default: off | |
sendfile on; | |
# How long to allow each connection to stay idle. | |
# Longer values are better for each individual client, particularly for SSL, | |
# but means that worker connections are tied up longer. | |
# Default: 75s | |
keepalive_timeout 20s; | |
# Enable gzip compression. | |
# Default: off | |
gzip on; | |
# Compression level (1-9). | |
# 5 is a perfect compromise between size and CPU usage, offering about | |
# 75% reduction for most ASCII files (almost identical to level 9). | |
# Default: 1 | |
gzip_comp_level 5; | |
# Don't compress anything that's already small and unlikely to shrink much | |
# if at all (the default is 20 bytes, which is bad as that usually leads to | |
# larger files after gzipping). | |
# Default: 20 | |
gzip_min_length 256; | |
# Compress data even for clients that are connecting to us via proxies, | |
# identified by the "Via" header (required for CloudFront). | |
# Default: off | |
gzip_proxied any; | |
# Tell proxies to cache both the gzipped and regular version of a resource | |
# whenever the client's Accept-Encoding capabilities header varies; | |
# Avoids the issue where a non-gzip capable client (which is extremely rare | |
# today) would display gibberish if their proxy gave them the gzipped version. | |
# Default: off | |
gzip_vary on; | |
# Improve HTTPS performance with session resumption | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 5m; | |
ssl_certificate /etc/letsencrypt/live/curious-directory.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/curious-directory.com/privkey.pem; | |
# Enable server-side protection against BEAST attacks | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; | |
# Disable SSLv3 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Redirect all HTTP traffic to HTTPS | |
server { | |
listen 80; | |
server_name www.curious-directory.com curious-directory.com; | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 443 ssl; | |
server_name app1.curious-directory.com; | |
location / { | |
proxy_pass http://192.168.1.100:8000; | |
} | |
} | |
server { | |
listen 443 ssl; | |
server_name app2.curious-directory.com; | |
location / { | |
proxy_pass http://192.168.1.100:8001; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment