mikehostetler/nginx.conf Secret

## nginx.conf
## Starter Nginx.conf file
## Intended to be used with the Wodby Nginx image: `FROM wodby/nginx:1.17-5.8.15`

user  nginx;
daemon off;
worker_processes 1;
# error_log  /dev/stderr debug;
error_log  /dev/stderr warn;
pid        /var/run/nginx.pid;

# {{ if getenv "NGINX_PAGESPEED_ENABLED" }}
# load_module                     modules/ngx_pagespeed.so;
# {{ end }}

events {
    worker_connections  4096;
    multi_accept        on;
}

http {
    # https://github.com/h5bp/server-configs-nginx
    # Hide Nginx version information.
    include h5bp/security/server_software_information.conf;

    # Specify media (MIME) types for files.
    include h5bp/media_types/media_types.conf;

    # Set character encodings.
    include h5bp/media_types/character_encodings.conf;

    log_format  main  '$remote_addr - $remote_user $upstream_cache_status [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status' ;

    access_log  /dev/stdout main_ext;
    resolver    8.8.8.8 1.1.1.1;

    # How long to allow each connection to stay idle.
    # Longer values are better for each individual client, particularly for SSL,
    # but means that worker connections are tied up longer.
    # Default: 75s
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
    keepalive_timeout 20s;

    # Speed up file transfers by using `sendfile()` to copy directly between
    # descriptors rather than using `read()`/`write()``.
    # For performance reasons, on FreeBSD systems w/ ZFS this option should be
    # disabled as ZFS's ARC caches frequently used files in RAM by default.
    # Default: off
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
    sendfile on;

    # Don't send out partial frames; this increases throughput since TCP frames
    # are filled up before being sent out.
    # Default: off
    # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
    tcp_nopush on;

    # Enable gzip compression.
    include h5bp/web_performance/compression.conf;

    # Specify file cache expiration.
    include h5bp/web_performance/cache_expiration.conf;

    # {{ if getenv "NGINX_PAGESPEED_ENABLED" }}
    # include /etc/nginx/conf.d/pagespeed.conf;
    # {{ end }}

    {{ if getenv "NGINX_BROTLI_ENABLED" }}
    include /etc/nginx/conf.d/brotli.conf;
    {{ end }}

    # Add X-XSS-Protection for HTML documents.
    # h5bp/security/x-xss-protection.conf
    map $sent_http_content_type $x_xss_protection {
      #           (1)    (2)
      ~*text/html "1; mode=block";
    }

    # Add X-Frame-Options for HTML documents.
    # h5bp/security/x-frame-options.conf
    map $sent_http_content_type $x_frame_options {
      ~*text/html DENY;
    }

    # Add Content-Security-Policy for HTML documents.
    # h5bp/security/content-security-policy.conf
    map $sent_http_content_type $content_security_policy {
      ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
    }

    # Add Referrer-Policy for HTML documents.
    # h5bp/security/referrer-policy.conf.conf
    map $sent_http_content_type $referrer_policy {
      ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
    }

    # Add X-UA-Compatible for HTML documents.
    # h5bp/internet_explorer/x-ua-compatible.conf
    map $sent_http_content_type $x_ua_compatible {
      ~*text/html "IE=edge";
    }

    # Add Access-Control-Allow-Origin.
    # h5bp/cross-origin/requests.conf
    map $sent_http_content_type $cors {
      # Images
      ~*image/ "*";

      # Web fonts
      ~*font/                         "*";
      ~*application/vnd.ms-fontobject "*";
      ~*application/x-font-ttf        "*";
      ~*application/font-woff         "*";
      ~*application/x-font-woff       "*";
      ~*application/font-woff2        "*";
    }

    map $uri $no_slash_uri {
        ~^/(?<no_slash>.*)$ $no_slash;
    }

    proxy_cache_path /tmp/nginx-cache keys_zone=fly:16m inactive=4h use_temp_path=off max_size=256m;
    proxy_cache_methods GET HEAD;
    proxy_cache_valid 200 302 10m;
    proxy_cache_valid 301      1h;
    proxy_cache_valid any      1m;
    proxy_cache_use_stale updating error timeout http_429 http_500 http_502 http_503 http_504;
    proxy_cache_key $scheme://$http_host/$request_uri;
    proxy_cache_revalidate on;
    proxy_cache_background_update on;
    proxy_cache_lock on;

    # When we set up auth, we should bypass the cache
    # proxy_no_cache $cookie_nocache;

    # XSS headers from Phoenix, we set those above
    proxy_hide_header x-frame-options;
    proxy_hide_header x-xss-protection;
    proxy_hide_header server;

    proxy_redirect off;
    proxy_read_timeout 30;
    proxy_connect_timeout 5;
    proxy_send_timeout 30;
    proxy_http_version 1.1;
    proxy_hide_header     Upgrade;
    proxy_buffering       on;
    proxy_ssl_server_name on;
    proxy_ssl_protocols TLSv1.2;
    # proxy_ignore_headers Vary Cache-Control Set-Cookie Expires;
    proxy_ignore_headers Vary Set-Cookie Expires;
    proxy_cache_bypass $http_pxy_bypass;
    proxy_ignore_client_abort on;

    proxy_pass_header Authorization;
    proxy_set_header Connection "";
    proxy_set_header Accept-Encoding "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header True-Client-IP $remote_addr;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_hide_header Server;

    server {
        listen 8080;
        server_name www.publicurl.com;
        return 301 $scheme://publicurl.com$request_uri;
    }

    server {
        listen       8080 default_server{{ if getenv "NGINX_HTTP2" }} http2{{ end }};
        server_name  {{ getenv "NGINX_SERVER_NAME" "default" }};

        set $canonical_host {{ getenv "CANONICAL_HOST" "publicurl.com" }};

        # Nginx Server Configs | MIT License
        # https://github.com/h5bp/server-configs-nginx

        include h5bp/internet_explorer/x-ua-compatible.conf;
        include h5bp/security/referrer-policy.conf;
        include h5bp/security/x-content-type-options.conf;
        include h5bp/security/x-frame-options.conf;
        include h5bp/security/x-xss-protection.conf;
        include h5bp/security/server_software_information.conf;
        include h5bp/location/security_file_access.conf;
        include h5bp/cross-origin/requests.conf;

        # FROM: http://localhost:3000/products/jlg-ping-pin-tilt-cyl-part-number-1001147527-1001147527-pjiv1heeja00i7op
        # TO: https://publicurl.com/shop/search?text=jlg%2Bping%2Bpin%2Btilt%2Bcyl%2Bpart%2Bnumber%2B1001147527%2B1001147527%2Bpjiv1heeja00i7op
        rewrite ^/products/(.*)$ /shop/search?text=$1 permanent;

        port_in_redirect off;

        add_header  X-Fly-Upstream-Status     $upstream_status;
        add_header  X-Fly-Cache-Status        $upstream_cache_status;
        add_header  X-Fly-Cache-Date          $upstream_http_date;
        add_header  X-Fly-Region              $http_fly_region;

        # SSL Redirect
        if ($http_x_forwarded_proto = "http") {
          return 301 https://$http_host$request_uri;
        }

        location /healthz {
          access_log off;
          return 200 "ok";
        }

        location / {
            proxy_cache fly;
            proxy_set_header X-Forwarded-Host publicurl.com;
            proxy_set_header Host prod.originapp.com;
            proxy_ssl_name prod.originapp.com;
            proxy_pass https://prod.originapp.com;

            # For Debugging against localhost when in Docker Compose
            # proxy_cache fly;
            # proxy_set_header X-Forwarded-Host localhost;
            # proxy_set_header Host localhost;
            # proxy_pass http://host.docker.internal:4000;

            sub_filter_types text/css;
            sub_filter_once off;
            sub_filter 'publicurl.com' $canonical_host;
            sub_filter 'www.publicurl.com' $canonical_host;
        }

        # Mount a Wordpress Blog on a subfolder
        location /blog/ {
            rewrite    /blog/(.*) /$1 break;

            proxy_cache fly;
            proxy_set_header Accept-Encoding "";
            proxy_set_header X-Forwarded-Host blog.publicurl.com;
            proxy_set_header Host blog.publicurl.com;
            # Must send this key to validate this as a proxy request, can be any value
            proxy_set_header X-Auth-Token foobar;
            proxy_ssl_name blog.publicurl.com;
            proxy_pass http://blog.publicurl.com;

            sub_filter_types text/css text/xml;
            sub_filter_once off;
            sub_filter 'blog.publicurl.com' "${canonical_host}/blog";
        }
    }
}
	## Starter Nginx.conf file
	## Intended to be used with the Wodby Nginx image: `FROM wodby/nginx:1.17-5.8.15`

	user nginx;
	daemon off;
	worker_processes 1;
	# error_log /dev/stderr debug;
	error_log /dev/stderr warn;
	pid /var/run/nginx.pid;

	# {{ if getenv "NGINX_PAGESPEED_ENABLED" }}
	# load_module modules/ngx_pagespeed.so;
	# {{ end }}

	events {
	worker_connections 4096;
	multi_accept on;
	}

	http {
	# https://github.com/h5bp/server-configs-nginx
	# Hide Nginx version information.
	include h5bp/security/server_software_information.conf;

	# Specify media (MIME) types for files.
	include h5bp/media_types/media_types.conf;

	# Set character encodings.
	include h5bp/media_types/character_encodings.conf;

	log_format main '$remote_addr - $remote_user $upstream_cache_status [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for" '
	'"$host" sn="$server_name" '
	'rt=$request_time '
	'ua="$upstream_addr" us="$upstream_status" '
	'ut="$upstream_response_time" ul="$upstream_response_length" '
	'cs=$upstream_cache_status' ;

	access_log /dev/stdout main_ext;
	resolver 8.8.8.8 1.1.1.1;

	# How long to allow each connection to stay idle.
	# Longer values are better for each individual client, particularly for SSL,
	# but means that worker connections are tied up longer.
	# Default: 75s
	# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
	keepalive_timeout 20s;

	# Speed up file transfers by using `sendfile()` to copy directly between
	# descriptors rather than using `read()`/`write()``.
	# For performance reasons, on FreeBSD systems w/ ZFS this option should be
	# disabled as ZFS's ARC caches frequently used files in RAM by default.
	# Default: off
	# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
	sendfile on;

	# Don't send out partial frames; this increases throughput since TCP frames
	# are filled up before being sent out.
	# Default: off
	# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
	tcp_nopush on;

	# Enable gzip compression.
	include h5bp/web_performance/compression.conf;

	# Specify file cache expiration.
	include h5bp/web_performance/cache_expiration.conf;

	# {{ if getenv "NGINX_PAGESPEED_ENABLED" }}
	# include /etc/nginx/conf.d/pagespeed.conf;
	# {{ end }}

	{{ if getenv "NGINX_BROTLI_ENABLED" }}
	include /etc/nginx/conf.d/brotli.conf;
	{{ end }}

	# Add X-XSS-Protection for HTML documents.
	# h5bp/security/x-xss-protection.conf
	map $sent_http_content_type $x_xss_protection {
	# (1) (2)
	~*text/html "1; mode=block";
	}

	# Add X-Frame-Options for HTML documents.
	# h5bp/security/x-frame-options.conf
	map $sent_http_content_type $x_frame_options {
	~*text/html DENY;
	}

	# Add Content-Security-Policy for HTML documents.
	# h5bp/security/content-security-policy.conf
	map $sent_http_content_type $content_security_policy {
	~*text/(html\|javascript)\|application/pdf\|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
	}

	# Add Referrer-Policy for HTML documents.
	# h5bp/security/referrer-policy.conf.conf
	map $sent_http_content_type $referrer_policy {
	~*text/(css\|html\|javascript)\|application\/pdf\|xml "strict-origin-when-cross-origin";
	}

	# Add X-UA-Compatible for HTML documents.
	# h5bp/internet_explorer/x-ua-compatible.conf
	map $sent_http_content_type $x_ua_compatible {
	~*text/html "IE=edge";
	}

	# Add Access-Control-Allow-Origin.
	# h5bp/cross-origin/requests.conf
	map $sent_http_content_type $cors {
	# Images
	~image/ "";

	# Web fonts
	~font/ "";
	~application/vnd.ms-fontobject "";
	~application/x-font-ttf "";
	~application/font-woff "";
	~application/x-font-woff "";
	~application/font-woff2 "";
	}

	map $uri $no_slash_uri {
	~^/(?<no_slash>.*)$ $no_slash;
	}

	proxy_cache_path /tmp/nginx-cache keys_zone=fly:16m inactive=4h use_temp_path=off max_size=256m;
	proxy_cache_methods GET HEAD;
	proxy_cache_valid 200 302 10m;
	proxy_cache_valid 301 1h;
	proxy_cache_valid any 1m;
	proxy_cache_use_stale updating error timeout http_429 http_500 http_502 http_503 http_504;
	proxy_cache_key $scheme://$http_host/$request_uri;
	proxy_cache_revalidate on;
	proxy_cache_background_update on;
	proxy_cache_lock on;

	# When we set up auth, we should bypass the cache
	# proxy_no_cache $cookie_nocache;

	# XSS headers from Phoenix, we set those above
	proxy_hide_header x-frame-options;
	proxy_hide_header x-xss-protection;
	proxy_hide_header server;

	proxy_redirect off;
	proxy_read_timeout 30;
	proxy_connect_timeout 5;
	proxy_send_timeout 30;
	proxy_http_version 1.1;
	proxy_hide_header Upgrade;
	proxy_buffering on;
	proxy_ssl_server_name on;
	proxy_ssl_protocols TLSv1.2;
	# proxy_ignore_headers Vary Cache-Control Set-Cookie Expires;
	proxy_ignore_headers Vary Set-Cookie Expires;
	proxy_cache_bypass $http_pxy_bypass;
	proxy_ignore_client_abort on;

	proxy_pass_header Authorization;
	proxy_set_header Connection "";
	proxy_set_header Accept-Encoding "";
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header True-Client-IP $remote_addr;
	proxy_set_header X-NginX-Proxy true;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_hide_header Server;

	server {
	listen 8080;
	server_name www.publicurl.com;
	return 301 $scheme://publicurl.com$request_uri;
	}

	server {
	listen 8080 default_server{{ if getenv "NGINX_HTTP2" }} http2{{ end }};
	server_name {{ getenv "NGINX_SERVER_NAME" "default" }};

	set $canonical_host {{ getenv "CANONICAL_HOST" "publicurl.com" }};

	# Nginx Server Configs \| MIT License
	# https://github.com/h5bp/server-configs-nginx

	include h5bp/internet_explorer/x-ua-compatible.conf;
	include h5bp/security/referrer-policy.conf;
	include h5bp/security/x-content-type-options.conf;
	include h5bp/security/x-frame-options.conf;
	include h5bp/security/x-xss-protection.conf;
	include h5bp/security/server_software_information.conf;
	include h5bp/location/security_file_access.conf;
	include h5bp/cross-origin/requests.conf;

	# FROM: http://localhost:3000/products/jlg-ping-pin-tilt-cyl-part-number-1001147527-1001147527-pjiv1heeja00i7op
	# TO: https://publicurl.com/shop/search?text=jlg%2Bping%2Bpin%2Btilt%2Bcyl%2Bpart%2Bnumber%2B1001147527%2B1001147527%2Bpjiv1heeja00i7op
	rewrite ^/products/(.*)$ /shop/search?text=$1 permanent;

	port_in_redirect off;

	add_header X-Fly-Upstream-Status $upstream_status;
	add_header X-Fly-Cache-Status $upstream_cache_status;
	add_header X-Fly-Cache-Date $upstream_http_date;
	add_header X-Fly-Region $http_fly_region;

	# SSL Redirect
	if ($http_x_forwarded_proto = "http") {
	return 301 https://$http_host$request_uri;
	}

	location /healthz {
	access_log off;
	return 200 "ok";
	}

	location / {
	proxy_cache fly;
	proxy_set_header X-Forwarded-Host publicurl.com;
	proxy_set_header Host prod.originapp.com;
	proxy_ssl_name prod.originapp.com;
	proxy_pass https://prod.originapp.com;

	# For Debugging against localhost when in Docker Compose
	# proxy_cache fly;
	# proxy_set_header X-Forwarded-Host localhost;
	# proxy_set_header Host localhost;
	# proxy_pass http://host.docker.internal:4000;

	sub_filter_types text/css;
	sub_filter_once off;
	sub_filter 'publicurl.com' $canonical_host;
	sub_filter 'www.publicurl.com' $canonical_host;
	}

	# Mount a Wordpress Blog on a subfolder
	location /blog/ {
	rewrite /blog/(.*) /$1 break;

	proxy_cache fly;
	proxy_set_header Accept-Encoding "";
	proxy_set_header X-Forwarded-Host blog.publicurl.com;
	proxy_set_header Host blog.publicurl.com;
	# Must send this key to validate this as a proxy request, can be any value
	proxy_set_header X-Auth-Token foobar;
	proxy_ssl_name blog.publicurl.com;
	proxy_pass http://blog.publicurl.com;

	sub_filter_types text/css text/xml;
	sub_filter_once off;
	sub_filter 'blog.publicurl.com' "${canonical_host}/blog";
	}
	}
	}