-
-
Save mgcrea/26ef92026a20ccc22226 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream proxy_example.com { | |
server 172.17.0.15:80; | |
} | |
server { | |
listen 80; | |
# Listen on the www host | |
server_name www.example.com; | |
# and redirect to the non-www host (declared below) | |
return 301 $scheme://example.com$request_uri; | |
} | |
server { | |
listen 80; | |
# Listen on the non-https host | |
server_name example.com; | |
# and redirect to the https host (declared below) | |
return 301 https://example.com$request_uri; | |
} | |
server { | |
listen 443 ssl spdy; | |
# listen [::]:443 ipv6only=on default_server ssl; | |
# The host name to respond to | |
server_name example.com; | |
# Sets the maximum allowed size of the client request body | |
client_max_body_size 5m; | |
# HTTPS certificates | |
ssl on; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; | |
ssl_prefer_server_ciphers on; | |
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. | |
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. | |
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. | |
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. | |
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions | |
ssl_session_timeout 24h; | |
ssl_certificate /etc/nginx/certs/example.com.crt; | |
ssl_certificate_key /etc/nginx/certs/example.com.key; | |
# Use a higher keepalive timeout to reduce the need for repeated handshakes | |
keepalive_timeout 300; # up from 75 secs default | |
# Path for static files | |
#root /usr/share/nginx/www; | |
# Specify a charset | |
charset utf-8; | |
# Custom 404 page | |
#error_page 404 /404.html; | |
# Force the latest IE version | |
# Use ChromeFrame if it's installed for a better experience for the poor IE folk | |
add_header "X-UA-Compatible" "IE=Edge,chrome=1"; | |
# Prevent clients from accessing hidden files (starting with a dot) | |
# This is particularly important if you store .htpasswd files in the site hierarchy | |
location ~* (?:^|/)\. { | |
deny all; | |
} | |
# Prevent clients from accessing to backup/config/source files | |
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ { | |
deny all; | |
} | |
# Pass the request to the NodeJS server | |
location / { | |
include /etc/nginx/proxy_params; | |
proxy_buffering off; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_pass http://proxy_example.com; | |
proxy_redirect http://proxy_example.com https://example.com; | |
# Handle websocket with nginx (>= 1.3.13) | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "upgrade"; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment