Skip to content

Instantly share code, notes, and snippets.

@mgcrea

mgcrea/gist:26ef92026a20ccc22226 Secret

Created June 15, 2015 15:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mgcrea/26ef92026a20ccc22226 to your computer and use it in GitHub Desktop.
Save mgcrea/26ef92026a20ccc22226 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
upstream proxy_example.com {
server 172.17.0.15:80;
}
server {
listen 80;
# Listen on the www host
server_name www.example.com;
# and redirect to the non-www host (declared below)
return 301 $scheme://example.com$request_uri;
}
server {
listen 80;
# Listen on the non-https host
server_name example.com;
# and redirect to the https host (declared below)
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl spdy;
# listen [::]:443 ipv6only=on default_server ssl;
# The host name to respond to
server_name example.com;
# Sets the maximum allowed size of the client request body
client_max_body_size 5m;
# HTTPS certificates
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
ssl_prefer_server_ciphers on;
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
ssl_certificate /etc/nginx/certs/example.com.crt;
ssl_certificate_key /etc/nginx/certs/example.com.key;
# Use a higher keepalive timeout to reduce the need for repeated handshakes
keepalive_timeout 300; # up from 75 secs default
# Path for static files
#root /usr/share/nginx/www;
# Specify a charset
charset utf-8;
# Custom 404 page
#error_page 404 /404.html;
# Force the latest IE version
# Use ChromeFrame if it's installed for a better experience for the poor IE folk
add_header "X-UA-Compatible" "IE=Edge,chrome=1";
# Prevent clients from accessing hidden files (starting with a dot)
# This is particularly important if you store .htpasswd files in the site hierarchy
location ~* (?:^|/)\. {
deny all;
}
# Prevent clients from accessing to backup/config/source files
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
# Pass the request to the NodeJS server
location / {
include /etc/nginx/proxy_params;
proxy_buffering off;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://proxy_example.com;
proxy_redirect http://proxy_example.com https://example.com;
# Handle websocket with nginx (>= 1.3.13)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment