Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save sergeysova/a53d5fbb50ebca3422fb4999c750b744 to your computer and use it in GitHub Desktop.
Save sergeysova/a53d5fbb50ebca3422fb4999c750b744 to your computer and use it in GitHub Desktop.
Nginx configuration sample for docker

Nginx production configuration sample

This config assumes that nginx is run from docker image _/nginx.

docker commands

docker network create nginx

mkdir -p /etc/myproject/nginx
cd /etc/myproject/nginx
mkdir -p ssl/default && openssl req -x509 -newkey rsa:2048 -nodes -keyout ssl/default/privkey.pem -out ssl/default/fullchain.pem -days 36500 -subj '/CN=localhost'
openssl dhparam -out ssl/dhparam.pem 4096

docker run \
    -d --restart=always \
    --name nginx \
    -p 80:80 -p 443:443 \
    --net nginx \
    --log-driver=syslog --log-opt syslog-facility=local5 -v /dev/log:/dev/log \
    -v /etc/myproject/nginx/nginx.conf:/etc/nginx/nginx.conf:ro \
    -v /etc/myproject/nginx/conf.d/:/etc/nginx/conf.d/:ro \
    -v /etc/myproject/nginx/plugins.d/:/etc/nginx/plugins.d/:ro \
    -v /etc/myproject/nginx/sites-enabled.d/:/etc/nginx/sites-enabled.d/:ro \
    -v /etc/myproject/nginx/ssl/:/etc/nginx/ssl/:ro \
    -v /var/myproject/www/:/var/www:ro \
    nginx:mainline-alpine
    
    
    # call this then to gracefully reload configs
    docker kill -s HUP nginx

Note that we don't overlay the whole /etc/nginx/ folder of the container, so you can easily include stock nginx configs:

fastcgi.conf
fastcgi_params
koi-utf
koi-win
mime.types
nginx.conf
scgi_params
uwsgi_params
win-utf

This config contains the following ones:

See also:

upstream myupstreamuwsgi {
server myupstream_1:3031;
server myupstream_2:3031;
}
# debian
# user www-data;
# alpine
user nginx;
pid /run/nginx.pid;
worker_processes auto;
events {
# http://nginx.org/en/docs/events.html
use epoll;
worker_connections 2048;
multi_accept on;
}
# feel free to choose any facility you like in range 0..7
error_log syslog:server=unix:/dev/log,facility=local6,tag=nginx,severity=error;
http {
##
# Logging
##
# feel free to choose any facility you like in range 0..7
access_log syslog:server=unix:/dev/log,facility=local6,tag=nginx,severity=info;
# log_not_found off;
##
# HTML, charset
##
index index.html index.htm;
charset utf-8;
##
# Security
##
server_tokens off;
autoindex off;
client_max_body_size 2m;
# Limit requests per IP address
# limit_req_zone $binary_remote_addr zone=common:20m rate=200r/s;
# limit_req zone=common burst=300;
##
# MIME
##
include mime.types;
default_type application/octet-stream;
##
# Performance
##
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
tcp_nodelay on;
# use this only when your nginx server serves static files
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
##
# SSL
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_tickets off;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# Don't forget to set `ssl_trusted_certificate` to the chain of your cert in the `server` block.
resolver 8.8.8.8 8.8.4.4; # replace with `127.0.0.1` if you have a local dns server
ssl_prefer_server_ciphers on;
ssl_dhparam ssl/dhparam.pem; # openssl dhparam -out ssl/dhparam.pem 4096
##
# GZIP
##
gzip on;
gzip_disable msie6;
gzip_vary on;
gzip_proxied any;
# gzip_http_version 1.0; # uncomment this to allow gzipping responses on http/1.0. proxy_pass uses http/1.0
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# uncomment this if you want to provide nginx already gzipped variants of files, like `${file}.gz`
# gzip_static on;
##
# Pluggable configs
##
include conf.d/*.conf;
include sites-enabled.d/*.conf;
}
add_header Strict-Transport-Security 'max-age=31536000';
# Use this one if you want to apply to the HSTS preload list. https://hstspreload.appspot.com/
# add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
server {
listen 80 default_server deferred;
listen [::]:80 default_server deferred;
listen 443 default_server ssl http2 deferred;
listen [::]:443 default_server ssl http2 deferred;
server_name _;
# Generate dumb self-signed certificate:
# mkdir -p ssl/default && openssl req -x509 -newkey rsa:2048 -nodes -keyout ssl/default/privkey.pem -out ssl/default/fullchain.pem -days 36500 -subj '/CN=localhost'
ssl_certificate ssl/default/fullchain.pem;
ssl_certificate_key ssl/default/privkey.pem;
# comment out the next line if you use a trusted certificate (not a self-signed one)
ssl_stapling off;
return 444; # tells nginx to roughly close connection
# return 302 $scheme://domain.com;
}
server {
listen 80;
listen [::]:80;
server_name domain.com;
return 302 https://domain.com$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name www.domain.com;
return 302 https://www.domain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.com;
include plugins.d/hsts.conf;
ssl_trusted_certificate ssl/domain.com/chain.pem;
ssl_certificate ssl/domain.com/fullchain.pem;
ssl_certificate_key ssl/domain.com/privkey.pem;
return 302 https://www.domain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.domain.com;
include plugins.d/hsts.conf;
ssl_trusted_certificate ssl/domain.com/chain.pem;
ssl_certificate ssl/domain.com/fullchain.pem;
ssl_certificate_key ssl/domain.com/privkey.pem;
root /var/www/www.domain.com/;
location /api/ {
uwsgi_pass myupstreamuwsgi;
include uwsgi_params;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment