Skip to content

Instantly share code, notes, and snippets.

@jgeiger
Last active Dec 24, 2021
Embed
What would you like to do?
Nginx base config
user www-data;
worker_processes 2;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
server_tokens off;
include mime.types;
default_type application/octet-stream;
charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
gzip on;
gzip_static on;
gzip_proxied any;
gzip_buffers 16 8k;
gzip_min_length 256;
gzip_comp_level 5;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/x-javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/xml
text/js
text/javascript
text/plain
text/x-component;
upstream api {
server 127.0.0.1:3001;
server 127.0.0.1:3002;
server 127.0.0.1:3003;
server 127.0.0.1:3004;
server 127.0.0.1:3005;
hash $cookie_stream_id;
}
server {
listen [::]:80;
listen 80;
server_name localhost;
# Path for static files
root /home/sites/nexia_diagnostics/current/adapters/web_server/public;
#Specify a charset
charset utf-8;
location / {
try_files $uri @app;
}
location @app {
# magic for eventsource proxying
# http://zerolith.com/sinatra-streaming-nginx-proxy.html
# http://stackoverflow.com/questions/13672743/eventsource-server-sent-events-through-nginx
if ($http_x_forwarded_proto != 'https') {
rewrite ^ https://$host$request_uri? permanent;
}
proxy_set_header Connection '';
proxy_http_version 1.1;
chunked_transfer_encoding off;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host:$server_port;
proxy_redirect off;
proxy_pass http://api;
}
# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
#
# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
# and will also know to immediately send a 404 if a file is missing on disk, and so on.
#
# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
#
# In the below configuration, inactive files are released from the cache after 20 seconds, whereas
# active (recently requested) files are re-validated every 30 seconds.
#
# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
#
# A maximum of the 1000 most recently used file descriptors can be cached at any time.
#
# Production servers with stable file collections will definitely want to enable the cache.
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Cross domain AJAX requests
# **Security Warning**
# Do not use this without understanding the consequences.
# This will permit access from any other website.
#
# add_header "Access-Control-Allow-Origin" "*";
# Instead of using this file, consider using a specific rule such as:
#
# Allow access based on [sub]domain:
# add_header "Access-Control-Allow-Origin" "subdomain.example.com";
# OR
add_header "Access-Control-Allow-Origin" "*.mynexia.com";
# The X-Frame-Options header indicates whether a browser should be allowed
# to render a page within a frame or iframe.
add_header X-Frame-Options SAMEORIGIN;
# MIME type sniffing security protection
#There are very few edge cases where you wouldn't want this enabled.
add_header X-Content-Type-Options nosniff;
# The X-XSS-Protection header is used by Internet Explorer version 8+
# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
add_header X-XSS-Protection "1; mode=block";
# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/
# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
# Prevent mobile network providers from modifying your site
#
# (!) If you are using `ngx_pagespeed`, please note that setting
# the `Cache-Control: no-transform` response header will prevent
# `PageSpeed` from rewriting `HTML` files, and, if
# `pagespeed DisableRewriteOnNoTransform off` is not used, also
# from rewriting other resources.
#
# https://developers.google.com/speed/pagespeed/module/configuration#notransform
add_header "Cache-Control" "no-transform";
# Force the latest IE version
add_header "X-UA-Compatible" "IE=Edge";
# Built-in filename-based cache busting
# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403
# This will route all requests for /css/style.20120716.css to /css/style.css
# Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting
# This is not included by default, because it'd be better if you use the build
# script to manage the file names.
location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ {
try_files $uri $1.$2;
}
# Cross domain webfont access
location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
include h5bp/directive-only/cross-domain-insecure.conf;
# Also, set cache rules for webfonts.
#
# See http://wiki.nginx.org/HttpCoreModule#location
# And https://github.com/h5bp/server-configs/issues/85
# And https://github.com/h5bp/server-configs/issues/86
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# Expire rules for static content
# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A concequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~* (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment