Created
December 11, 2019 10:59
-
-
Save tuupola/247330d8a333e1650289253e31173dbc to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
http { | |
# Disable sending the server identification | |
server_tokens off; | |
# Prevent displaying Botpress in an iframe (clickjacking protection) | |
add_header X-Frame-Options SAMEORIGIN; | |
# Prevent browsers from detecting the mimetype if not sent by the server. | |
add_header X-Content-Type-Options nosniff; | |
# Force enable the XSS filter for the website, in case it was disabled manually | |
add_header X-XSS-Protection "1; mode=block"; | |
# Configure the cache for static assets | |
proxy_cache_path /sr/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g | |
inactive=60m use_temp_path=off; | |
# Set the max file size for uploads (make sure it is larger than the configured media size in botpress.config.json) | |
client_max_body_size 10M; | |
# Configure access | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log logs/access.log main; | |
error_log logs/error.log; | |
# Redirect unsecure requests to the HTTPS endpoint | |
server { | |
listen 80 default; | |
server_name localhost; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 http2 ssl; | |
server_name localhost; | |
ssl_certificate cert.pem; | |
ssl_certificate_key cert.key; | |
# Force the use of secure protocols only | |
ssl_prefer_server_ciphers on; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Enable session cache for added performances | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 1d; | |
ssl_session_tickets off; | |
# Added security with HSTS | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"; | |
# Enable caching of assets by NGINX to reduce load on the server | |
location ~ .*/assets/.* { | |
proxy_cache my_cache; | |
proxy_ignore_headers Cache-Control; | |
proxy_hide_header Cache-Control; | |
proxy_hide_header Pragma; | |
proxy_pass http://localhost:3000; | |
proxy_cache_valid any 30m; | |
proxy_set_header Cache-Control max-age=30; | |
add_header Cache-Control max-age=30; | |
} | |
# We need to add specific headers so the websockets can be set up through the reverse proxy | |
location /socket.io/ { | |
proxy_pass http://localhost:3000/socket.io/; | |
proxy_http_version 1.1; | |
proxy_set_header Upgrade $http_upgrade; | |
proxy_set_header Connection "Upgrade"; | |
} | |
# All other requests should be directed to the server | |
location / { | |
proxy_pass http://localhost:3000; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment