-
-
Save mikehostetler/77ac2b78469fe0fb58be204bf0de6651 to your computer and use it in GitHub Desktop.
Example Reverse Proxy nginx.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Starter Nginx.conf file | |
## Intended to be used with the Wodby Nginx image: `FROM wodby/nginx:1.17-5.8.15` | |
user nginx; | |
daemon off; | |
worker_processes 1; | |
# error_log /dev/stderr debug; | |
error_log /dev/stderr warn; | |
pid /var/run/nginx.pid; | |
# {{ if getenv "NGINX_PAGESPEED_ENABLED" }} | |
# load_module modules/ngx_pagespeed.so; | |
# {{ end }} | |
events { | |
worker_connections 4096; | |
multi_accept on; | |
} | |
http { | |
# https://github.com/h5bp/server-configs-nginx | |
# Hide Nginx version information. | |
include h5bp/security/server_software_information.conf; | |
# Specify media (MIME) types for files. | |
include h5bp/media_types/media_types.conf; | |
# Set character encodings. | |
include h5bp/media_types/character_encodings.conf; | |
log_format main '$remote_addr - $remote_user $upstream_cache_status [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for" ' | |
'"$host" sn="$server_name" ' | |
'rt=$request_time ' | |
'ua="$upstream_addr" us="$upstream_status" ' | |
'ut="$upstream_response_time" ul="$upstream_response_length" ' | |
'cs=$upstream_cache_status' ; | |
access_log /dev/stdout main_ext; | |
resolver 8.8.8.8 1.1.1.1; | |
# How long to allow each connection to stay idle. | |
# Longer values are better for each individual client, particularly for SSL, | |
# but means that worker connections are tied up longer. | |
# Default: 75s | |
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout | |
keepalive_timeout 20s; | |
# Speed up file transfers by using `sendfile()` to copy directly between | |
# descriptors rather than using `read()`/`write()``. | |
# For performance reasons, on FreeBSD systems w/ ZFS this option should be | |
# disabled as ZFS's ARC caches frequently used files in RAM by default. | |
# Default: off | |
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile | |
sendfile on; | |
# Don't send out partial frames; this increases throughput since TCP frames | |
# are filled up before being sent out. | |
# Default: off | |
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush | |
tcp_nopush on; | |
# Enable gzip compression. | |
include h5bp/web_performance/compression.conf; | |
# Specify file cache expiration. | |
include h5bp/web_performance/cache_expiration.conf; | |
# {{ if getenv "NGINX_PAGESPEED_ENABLED" }} | |
# include /etc/nginx/conf.d/pagespeed.conf; | |
# {{ end }} | |
{{ if getenv "NGINX_BROTLI_ENABLED" }} | |
include /etc/nginx/conf.d/brotli.conf; | |
{{ end }} | |
# Add X-XSS-Protection for HTML documents. | |
# h5bp/security/x-xss-protection.conf | |
map $sent_http_content_type $x_xss_protection { | |
# (1) (2) | |
~*text/html "1; mode=block"; | |
} | |
# Add X-Frame-Options for HTML documents. | |
# h5bp/security/x-frame-options.conf | |
map $sent_http_content_type $x_frame_options { | |
~*text/html DENY; | |
} | |
# Add Content-Security-Policy for HTML documents. | |
# h5bp/security/content-security-policy.conf | |
map $sent_http_content_type $content_security_policy { | |
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests"; | |
} | |
# Add Referrer-Policy for HTML documents. | |
# h5bp/security/referrer-policy.conf.conf | |
map $sent_http_content_type $referrer_policy { | |
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; | |
} | |
# Add X-UA-Compatible for HTML documents. | |
# h5bp/internet_explorer/x-ua-compatible.conf | |
map $sent_http_content_type $x_ua_compatible { | |
~*text/html "IE=edge"; | |
} | |
# Add Access-Control-Allow-Origin. | |
# h5bp/cross-origin/requests.conf | |
map $sent_http_content_type $cors { | |
# Images | |
~*image/ "*"; | |
# Web fonts | |
~*font/ "*"; | |
~*application/vnd.ms-fontobject "*"; | |
~*application/x-font-ttf "*"; | |
~*application/font-woff "*"; | |
~*application/x-font-woff "*"; | |
~*application/font-woff2 "*"; | |
} | |
map $uri $no_slash_uri { | |
~^/(?<no_slash>.*)$ $no_slash; | |
} | |
proxy_cache_path /tmp/nginx-cache keys_zone=fly:16m inactive=4h use_temp_path=off max_size=256m; | |
proxy_cache_methods GET HEAD; | |
proxy_cache_valid 200 302 10m; | |
proxy_cache_valid 301 1h; | |
proxy_cache_valid any 1m; | |
proxy_cache_use_stale updating error timeout http_429 http_500 http_502 http_503 http_504; | |
proxy_cache_key $scheme://$http_host/$request_uri; | |
proxy_cache_revalidate on; | |
proxy_cache_background_update on; | |
proxy_cache_lock on; | |
# When we set up auth, we should bypass the cache | |
# proxy_no_cache $cookie_nocache; | |
# XSS headers from Phoenix, we set those above | |
proxy_hide_header x-frame-options; | |
proxy_hide_header x-xss-protection; | |
proxy_hide_header server; | |
proxy_redirect off; | |
proxy_read_timeout 30; | |
proxy_connect_timeout 5; | |
proxy_send_timeout 30; | |
proxy_http_version 1.1; | |
proxy_hide_header Upgrade; | |
proxy_buffering on; | |
proxy_ssl_server_name on; | |
proxy_ssl_protocols TLSv1.2; | |
# proxy_ignore_headers Vary Cache-Control Set-Cookie Expires; | |
proxy_ignore_headers Vary Set-Cookie Expires; | |
proxy_cache_bypass $http_pxy_bypass; | |
proxy_ignore_client_abort on; | |
proxy_pass_header Authorization; | |
proxy_set_header Connection ""; | |
proxy_set_header Accept-Encoding ""; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header True-Client-IP $remote_addr; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_hide_header Server; | |
server { | |
listen 8080; | |
server_name www.publicurl.com; | |
return 301 $scheme://publicurl.com$request_uri; | |
} | |
server { | |
listen 8080 default_server{{ if getenv "NGINX_HTTP2" }} http2{{ end }}; | |
server_name {{ getenv "NGINX_SERVER_NAME" "default" }}; | |
set $canonical_host {{ getenv "CANONICAL_HOST" "publicurl.com" }}; | |
# Nginx Server Configs | MIT License | |
# https://github.com/h5bp/server-configs-nginx | |
include h5bp/internet_explorer/x-ua-compatible.conf; | |
include h5bp/security/referrer-policy.conf; | |
include h5bp/security/x-content-type-options.conf; | |
include h5bp/security/x-frame-options.conf; | |
include h5bp/security/x-xss-protection.conf; | |
include h5bp/security/server_software_information.conf; | |
include h5bp/location/security_file_access.conf; | |
include h5bp/cross-origin/requests.conf; | |
# FROM: http://localhost:3000/products/jlg-ping-pin-tilt-cyl-part-number-1001147527-1001147527-pjiv1heeja00i7op | |
# TO: https://publicurl.com/shop/search?text=jlg%2Bping%2Bpin%2Btilt%2Bcyl%2Bpart%2Bnumber%2B1001147527%2B1001147527%2Bpjiv1heeja00i7op | |
rewrite ^/products/(.*)$ /shop/search?text=$1 permanent; | |
port_in_redirect off; | |
add_header X-Fly-Upstream-Status $upstream_status; | |
add_header X-Fly-Cache-Status $upstream_cache_status; | |
add_header X-Fly-Cache-Date $upstream_http_date; | |
add_header X-Fly-Region $http_fly_region; | |
# SSL Redirect | |
if ($http_x_forwarded_proto = "http") { | |
return 301 https://$http_host$request_uri; | |
} | |
location /healthz { | |
access_log off; | |
return 200 "ok"; | |
} | |
location / { | |
proxy_cache fly; | |
proxy_set_header X-Forwarded-Host publicurl.com; | |
proxy_set_header Host prod.originapp.com; | |
proxy_ssl_name prod.originapp.com; | |
proxy_pass https://prod.originapp.com; | |
# For Debugging against localhost when in Docker Compose | |
# proxy_cache fly; | |
# proxy_set_header X-Forwarded-Host localhost; | |
# proxy_set_header Host localhost; | |
# proxy_pass http://host.docker.internal:4000; | |
sub_filter_types text/css; | |
sub_filter_once off; | |
sub_filter 'publicurl.com' $canonical_host; | |
sub_filter 'www.publicurl.com' $canonical_host; | |
} | |
# Mount a Wordpress Blog on a subfolder | |
location /blog/ { | |
rewrite /blog/(.*) /$1 break; | |
proxy_cache fly; | |
proxy_set_header Accept-Encoding ""; | |
proxy_set_header X-Forwarded-Host blog.publicurl.com; | |
proxy_set_header Host blog.publicurl.com; | |
# Must send this key to validate this as a proxy request, can be any value | |
proxy_set_header X-Auth-Token foobar; | |
proxy_ssl_name blog.publicurl.com; | |
proxy_pass http://blog.publicurl.com; | |
sub_filter_types text/css text/xml; | |
sub_filter_once off; | |
sub_filter 'blog.publicurl.com' "${canonical_host}/blog"; | |
} | |
} | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment