Created
March 26, 2019 13:22
-
-
Save mturnaviotov/bdf2c3dd8c337df5a7cd321bba6a6d67 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# PASSENGER DEV OK | |
server { | |
listen 80; | |
listen 443 ssl http2; | |
listen [::]:80; | |
listen [::]:443 ssl http2; | |
server_name webapp.example.com; | |
location /.well-known/acme-challenge/ { alias /opt/le/.acme-challenges/; } | |
gzip on; | |
gzip_static on; | |
gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
gzip_buffers 16 8k; | |
gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css application/json | |
; | |
if ($scheme = http) { | |
rewrite ^ https://$server_name$request_uri permanent; | |
} | |
location /img/ { | |
root /opt/webapp-here/dist; | |
} | |
# location /*.* { | |
# root /opt/webapp-here/dist; | |
# } | |
location / { | |
try_files $uri /index.html; | |
# rewrite ^ /index.html$args permanent; | |
} | |
location /index.html { | |
root /opt/webapp-here/dist; | |
} | |
location /bundle.js { | |
root /opt/webapp-here/dist; | |
} | |
location /api { | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_pass_request_headers on; | |
proxy_pass_request_body on; | |
proxy_cookie_domain localhost webapp.example.com; | |
## include /etc/nginx/passenger.conf; | |
## fastcgi_pass_request_headers on; | |
## proxy_pass http://webapp-here; | |
## proxy_redirect default; #localhost; | |
## alias $1; | |
## passenger_base_uri /api; | |
passenger_enabled on; | |
passenger_app_env production; | |
root /opt/webapp-here/public; | |
passenger_app_root /opt/webapp-here; | |
passenger_document_root /public; | |
passenger_enabled on; | |
passenger_ruby /home/webapp-here/.rbenv/shims/ruby; | |
if ($request_method = 'OPTIONS') { | |
add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS, DELETE'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
ce,Cache-Control,Content-Type,auth-token'; | |
add_header 'Access-Control-Max-Age' 1728000; | |
add_header 'Content-Type' 'application/json charset=UTF-8'; | |
add_header 'Content-Length' 0; | |
return 204; | |
} | |
if ($request_method = 'POST') { | |
add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'POST, PUT, OPTIONS, DELETE'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
ce,Cache-Control,Content-Type,auth-token'; | |
} | |
if ($request_method = 'GET') { | |
add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
ce,Cache-Control,Content-Type,auth-token'; | |
} | |
access_log /var/log/nginx/webapp-here.access.log; | |
error_log /var/log/nginx/webapp-here.error.log; | |
} | |
ssl_certificate /opt/le/certs/webapp.example.com/fullchain.pem; | |
ssl_certificate_key /opt/le/certs/webapp.example.com/privkey.pem; | |
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; # Requires nginx >= 1.5.9 | |
ssl_stapling on; # Requires nginx >= 1.3.7 | |
ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
resolver 172.17.0.1 valid=300s; | |
resolver_timeout 5s; | |
add_header X-Frame-Options DENY; | |
error_log /var/log/nginx/webapp-here.error.log; | |
} | |
ssl_certificate /opt/le/certs/webapp.example.com/fullchain.pem; | |
ssl_certificate_key /opt/le/certs/webapp.example.com/privkey.pem; | |
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; # Requires nginx >= 1.5.9 | |
ssl_stapling on; # Requires nginx >= 1.3.7 | |
ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
resolver 172.17.0.1 valid=300s; | |
resolver_timeout 5s; | |
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
ssl_dhparam /etc/nginx/dhparam.pem; | |
ssl_session_timeout 24h; | |
ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEE | |
D:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2; | |
add_header Strict-Transport-Security "max-age=25200; includeSubdomains; preload"; | |
# add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; sty | |
le-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; | |
# add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; sty | |
le-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report"; | |
access_log /var/log/nginx/webapp-here.access.log; | |
error_log /var/log/nginx/webapp-here.error.log; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment