Skip to content

Instantly share code, notes, and snippets.

@manh-dan
Forked from Asjas/nginx.conf
Created October 2, 2021 14:22
Show Gist options
  • Save manh-dan/b94e711dbb4264146e5276daffa99163 to your computer and use it in GitHub Desktop.
Save manh-dan/b94e711dbb4264146e5276daffa99163 to your computer and use it in GitHub Desktop.
Nginx sample config. Includes CSP headers, caching headers, gzip and brotli compression
user www-data;
worker_processes auto;
worker_rlimit_nofile 8192;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 8000;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
sendfile_max_chunk 1m;
server_tokens off;
tcp_nopush on;
access_log /var/log/nginx/access.log;
keepalive_timeout 60s;
log_format extended_with_variables '$remote_addr - $remote_user [$time_local]"$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" rt=$request_time rt="$upstream_response_time"';
brotli on;
brotli_types text/text text/plain text/css text/javascript application/javascript application/json application/manifest+json font/otf font/ttf font/woff font/woff2 image/svg+xml image/x-icon;
brotli_comp_level 9;
brotli_min_length 1024;
gzip on;
gzip_vary on;
gzip_comp_level 9;
gzip_min_length 1024;
gzip_types text/text text/plain text/css text/javascript application/javascript application/json application/manifest+json font/otf font/ttf font/woff font/woff2 image/svg+xml image/x-icon;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block; report=https://asjas.report-uri.com/r/d/xss/enforce; report-to default";
add_header Expect-CT "max-age=604800, report-uri=https://asjas.report-uri.com/r/d/ct/enforce; report-to default";
add_header Content-Security-Policy "default-src 'self' https://portfolio-site.prismic.io/api/v2 https://portfolio-site.cdn.prismic.io/api/v2/documents/search; script-src 'self' 'unsafe-inline' 'unsafe-eval' cdn.polyfill.com ajax.cloudflare.com sentry.io fullstory.com analytics.asjas.co.za; img-src 'self' portfolio-site.cdn.prismic.io analytics.asjas.co.za; style-src 'self' 'unsafe-inline'; font-src 'self' data:; form-action 'none'; report-uri https://asjas.report-uri.com/r/d/csp/enforce; report-to default";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
add_header Referrer-Policy "same-origin";
add_header "Report-To" "{'group':'default','max_age':31536000,'endpoints':[{'url':'https://asjas.report-uri.com/a/d/g'}],'include_subdomains':true}";
server {
listen 80;
listen [::]:80;
server_name asjas.co.za;
return 302 https://asjas.co.za;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;
#ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
#ssl_verify_client on;
server_name asjas.co.za;
root /var/www/html/public;
index index.html;
client_max_body_size 32m;
location /nginx_status {
stub_status on;
allow 127.0.0.1;
deny all;
}
# Don't cache the service worker
location = /sw.js {
add_header Cache-Control "no-store, no-cache, max-age=0, must-revalidate";
}
# Don't cache html files
location ~ \.html {
add_header Cache-Control "public, max-age=0, must-revalidate";
}
# Cache css and js forever as webpack will cache-bust it
location ~ \.(css|js)$ {
add_header Cache-Control "public, max-age=31536000, immutable";
}
# Cache static directory forever as webpack will cache-bust it
location /static {
add_header Cache-Control "public, max-age=31536000, immutable";
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/lib/nginx/html;
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment