-
-
Save nicolasdanelon/ac1f05d27d88bf7c87d3ec5a40df8c7d to your computer and use it in GitHub Desktop.
Typical example of nginx (v1.10.3) conf file for using ssl and collaboration with nodejs app
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# nginx conf file example in the case of using: | |
# - nodejs app server | |
# - letsencrypt for SSL | |
# version: nginx/1.10.3 | |
# /etc/nginx/conf.d/example.com.conf | |
# Permits for tester to access even if web server is under maintenance: | |
geo $allow_ip_flag { | |
default 0; # Not Allowed | |
#192.168.11.0/24 1; # Allowed Users | |
} | |
# NodeJS app running on local: | |
upstream nodeapp { | |
server 127.0.0.1:3000; # nodejs app server | |
} | |
# Redirects http -> https: | |
server { | |
listen 80; | |
server_name example.com; | |
rewrite ^ https://$server_name$request_uri? permanent; | |
} | |
# Rate Limiting: | |
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s; | |
#limit_req_status 429; # 429:"Too Many Requests" | |
server { | |
listen 443 ssl http2; | |
server_name example.com; | |
#charset koi8-r; | |
#access_log /var/log/nginx/access.log main; | |
# SSL Settings (letsencrypt): | |
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets on; | |
ssl_dhparam /etc/ssl/private/dhparam.pem; # Needs to generate by yourself like this: `$ sudo openssl dhparam -out /etc/ssl/private/dhparam.pem 4096` | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; | |
ssl_prefer_server_ciphers on; | |
# Reverse proxy settings: | |
proxy_redirect off; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# For express-session's `cookie.secure:true` available: | |
proxy_set_header X-Forwarded-Proto https; | |
proxy_redirect http:// https://; | |
location ^~ /.well-known { | |
allow all; | |
default_type "text/plain"; | |
alias /usr/share/nginx/html/example.com/.well-known/; | |
} | |
location / { | |
# Setting for maintenance mode | |
# TODO: In advance, create your own maintenance.html: | |
if (-e /usr/share/nginx/html/example.com/maintenance.html) { | |
set $maintenance true; | |
} | |
# allowed IP can pass through the maintenance page: | |
if ($allow_ip_flag) { | |
set $maintenance false; | |
} | |
if ($maintenance = true) { | |
rewrite ^ /maintenance.html redirect; | |
} | |
location /maintenance.html { | |
alias /usr/share/nginx/html/example.com/maintenance.html; | |
expires 0; | |
} | |
# Rate Limiting: | |
limit_req zone=mylimit burst=20 nodelay; | |
# Access to the node app: | |
proxy_pass http://nodeapp/; | |
#root /usr/share/nginx/html/example.com; | |
#index index.html index.htm; | |
} | |
# Serves static files nodejs app contains: | |
location ~ ^/(images/|img/|javascripts/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|sitemap.txt|humans.txt|favicon.ico) { | |
# TODO: set your app's public folder on which there are static contents. | |
root /home/akirattii/example-app/public; | |
access_log off; | |
expires max; | |
} | |
#error_page 404 /404.html; | |
# redirect server error pages to the static page /50x.html | |
# | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
root /usr/share/nginx/html; | |
} | |
} | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# /etc/nginx/nginx.conf | |
user www-data; | |
worker_processes auto; | |
pid /run/nginx.pid; | |
events { | |
worker_connections 768; | |
# multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
# server_tokens off; | |
# server_names_hash_bucket_size 64; | |
# server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# SSL Settings | |
## | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
ssl_prefer_server_ciphers on; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
gzip on; | |
gzip_disable "msie6"; | |
gzip_vary on; # <= "Vary" header ON! | |
# gzip_proxied any; | |
# gzip_comp_level 6; | |
# gzip_buffers 16 8k; | |
# gzip_http_version 1.1; | |
# Specify content types to gzip. | |
# Typically, you may want to compress json response on your API server: | |
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | |
## | |
# Virtual Host Configs | |
## | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} | |
#mail { | |
# # See sample authentication script at: | |
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript | |
# | |
# # auth_http localhost/auth.php; | |
# # pop3_capabilities "TOP" "USER"; | |
# # imap_capabilities "IMAP4rev1" "UIDPLUS"; | |
# | |
# server { | |
# listen localhost:110; | |
# protocol pop3; | |
# proxy on; | |
# } | |
# | |
# server { | |
# listen localhost:143; | |
# protocol imap; | |
# proxy on; | |
# } | |
#} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment