-
-
Save osv/ede3e6c2368071ed963990a6a15336c1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream my-web-app-here { | |
| server 127.0.0.1:8080; | |
| } | |
| server { | |
| listen 80; | |
| listen 443 ssl http2; | |
| listen [::]:80; | |
| listen [::]:443 ssl http2; | |
| server_name webapp.example.com; | |
| gzip on; | |
| gzip_static on; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 6; | |
| gzip_buffers 16 8k; | |
| # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss | |
| gzip_types text/plain application/javascript application/x-javascript text/javascript text/xml text/css application/json | |
| location /.well-known/acme-challenge/ { alias /opt/le/.acme-challenges/; } | |
| if ($scheme = http) { | |
| rewrite ^ https://$server_name$request_uri permanent; | |
| } | |
| location /lang/ { | |
| root /opt/my-web-app-here-web/dist/; | |
| } | |
| location /img/ { | |
| root /opt/my-web-app-here-web/dist; | |
| } | |
| location /*.* { | |
| root /opt/my-web-app-here-web/dist; | |
| } | |
| location / { | |
| try_files $uri /index.html; | |
| # rewrite ^ /index.html$args permanent; | |
| } | |
| location /index.html { | |
| root /opt/my-web-app-here-web/dist; | |
| } | |
| location /bundle.js { | |
| root /opt/my-web-app-here-web/dist; | |
| } | |
| location /api { | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_pass_request_headers on; | |
| proxy_pass_request_body on; | |
| proxy_cookie_domain localhost webapp.example.com; | |
| fastcgi_pass_request_headers on; | |
| proxy_pass http://my-web-app-here; | |
| # proxy_redirect default; | |
| # alias $1; | |
| # passenger_base_uri /api; | |
| # passenger_app_root /opt/my-web-app-here-api; | |
| # passenger_document_root /public; | |
| # passenger_enabled on; | |
| # passenger_root /opt/my-web-app-here-api; | |
| # passenger_ruby /home/turnaviotov/.rbenv/shims/ruby; | |
| # rails_env development; | |
| # passenger_ruby /usr/local/rvm/wrappers/jruby-1.7.1/ruby; | |
| if ($request_method = 'OPTIONS') { | |
| add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, OPTIONS, DELETE'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
| add_header 'Access-Control-Max-Age' 1728000; | |
| add_header 'Content-Type' 'application/json charset=UTF-8'; | |
| add_header 'Content-Length' 0; | |
| return 204; | |
| } | |
| if ($request_method = 'POST') { | |
| add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'POST, PUT, OPTIONS, DELETE'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
| } | |
| if ($request_method = 'GET') { | |
| add_header 'Access-Control-Allow-Origin' 'https://webapp.example.com'; | |
| add_header 'Access-Control-Allow-Credentials' 'true'; | |
| add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS'; | |
| add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Sin | |
| } | |
| access_log /var/log/nginx/webapp.example.com-api.access.log; | |
| error_log /var/log/nginx/webapp.example.com-api.error.log; | |
| } | |
| ssl_certificate /opt/le/certs/webapp.example.com/fullchain.pem; | |
| ssl_certificate_key /opt/le/certs/webapp.example.com/privkey.pem; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_tickets off; # Requires nginx >= 1.5.9 | |
| ssl_stapling on; # Requires nginx >= 1.3.7 | |
| ssl_stapling_verify on; # Requires nginx => 1.3.7 | |
| resolver 172.17.0.1 valid=300s; | |
| resolver_timeout 5s; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /etc/nginx/dhparam.pem; | |
| ssl_session_timeout 24h; | |
| ssl_ciphers kEECDH+AES128:kEECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEE | |
| add_header Strict-Transport-Security "max-age=25200; includeSubdomains; preload"; | |
| # add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; sty | |
| # add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; sty | |
| access_log /var/log/nginx/webapp.example.com-web.access.log; | |
| error_log /var/log/nginx/webapp.example.com-web.error.log; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment