vastbinderj/README.md

## README.md

      
    Raw
  

              README.md
            
          
    It is suggested that you only run Foundation API Server over SSL and use nginx as a proxy for performance reasons.  This gist demonstrates how to configure nginx and create a certificate for use in development.  In production, it is suggested you use a certificate from your preferred certificate authority.
Create a directory called 'ssl' under the nginx configuration directory to hold the certificates:
sudo mkdir /etc/nginx/ssl

Now that we have a location to place our files, we can create the SSL key and certificate files in one motion by typing:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt


req: This subcommand specifies that we want to use X.509 certificate signing request (CSR) management. The "X.509" is a public key infrastructure standard that SSL and TLS adheres to for its key and certificate management. We want to create a new X.509 cert, so we are using this subcommand.


x509: This further modifies the previous subcommand by telling the utility that we want to make a self-signed certificate instead of generating a certificate signing request, as would normally happen.


nodes: This tells OpenSSL to skip the option to secure our certificate with a passphrase. We need Nginx to be able to read the file, without user intervention, when the server starts up. A passphrase would prevent this from happening because we would have to enter it after every restart.


days 365: This option sets the length of time that the certificate will be considered valid. We set it for one year here.


newkey rsa:2048: This specifies that we want to generate a new certificate and a new key at the same time. We did not create the key that is required to sign the certificate in a previous step, so we need to create it along with the certificate. The rsa:2048 portion tells it to make an RSA key that is 2048 bits long.


## nginx.conf
http {

  # logging
  access_log  /var/log/nginx/access.log  main;
  error_log   /var/log/nginx/error.log crit;

  # buffers
  client_max_body_size 10m;
  client_header_buffer_size 4k;
  client_body_buffer_size 128k;
  large_client_header_buffers 4 16k;

  # keepalives
  keepalive_timeout 15 15;
  keepalive_requests 1024;

  # timeouts
  client_body_timeout 15;
  client_header_timeout 15;
  send_timeout 15;

  # cache path
  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache_name:10m  max_size=1g;

  upstream foundation {
    server 127.0.0.1:3000;
    keepalive 15;
  }

  server {
    listen 80;
    server_name foundation.domain.com;
    return 301 https://foundation.domain.com$request_uri;
  }

  server {
    listen 443 ssl;
    server_name foundation.domain.com;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    # SSL config goes here (removed for brevity)
    add_header Strict-Transport-Security max-age=31536000

    error_page 502 503 504 /5xx.html;
    location = /5xx.html {
        root /public;
    }

    location /favicon.ico {
        root /public;
    }

    location /robots.txt {
        root /public;
    }

    location / {

      proxy_pass http://foundation;
      proxy_redirect off;

      # Security headers removed, but think about X-Frame-Options, Content-Security-Policy, etc

      # Enable HTTP keep-alives
      proxy_http_version 1.1;
      proxy_set_header Connection "";

      # Buffers
      # Buffers should be greater than the mean response size to allow effective caching
      proxy_buffering on;
      proxy_buffers 32 16k;
      proxy_buffer_size 32k;
      proxy_busy_buffers_size 64k;
      proxy_temp_file_write_size 64k;

      # Caching
      # Note that routes with Set-Cookie will not be cached so we do not need to be specific here
      add_header Cache-Control "max-age=0, private, must-revalidate";
      proxy_cache cache_name;
      proxy_cache_key "$scheme$host$request_uri";
      proxy_cache_valid 200 302 303 30s;
      proxy_cache_valid 404 30s;
      proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
      add_header X-Cache $upstream_cache_status;

      # Pass scheme and remote host IP to proxied application
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Scheme $scheme;
      proxy_set_header Referer $http_referer;
      proxy_set_header Host $http_host;
    }
  }
}
	http {

	# logging
	access_log /var/log/nginx/access.log main;
	error_log /var/log/nginx/error.log crit;

	# buffers
	client_max_body_size 10m;
	client_header_buffer_size 4k;
	client_body_buffer_size 128k;
	large_client_header_buffers 4 16k;

	# keepalives
	keepalive_timeout 15 15;
	keepalive_requests 1024;

	# timeouts
	client_body_timeout 15;
	client_header_timeout 15;
	send_timeout 15;

	# cache path
	proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=cache_name:10m max_size=1g;

	upstream foundation {
	server 127.0.0.1:3000;
	keepalive 15;
	}

	server {
	listen 80;
	server_name foundation.domain.com;
	return 301 https://foundation.domain.com$request_uri;
	}

	server {
	listen 443 ssl;
	server_name foundation.domain.com;
	ssl_certificate /etc/nginx/ssl/nginx.crt;
	ssl_certificate_key /etc/nginx/ssl/nginx.key;

	# SSL config goes here (removed for brevity)
	add_header Strict-Transport-Security max-age=31536000

	error_page 502 503 504 /5xx.html;
	location = /5xx.html {
	root /public;
	}

	location /favicon.ico {
	root /public;
	}

	location /robots.txt {
	root /public;
	}

	location / {

	proxy_pass http://foundation;
	proxy_redirect off;

	# Security headers removed, but think about X-Frame-Options, Content-Security-Policy, etc

	# Enable HTTP keep-alives
	proxy_http_version 1.1;
	proxy_set_header Connection "";

	# Buffers
	# Buffers should be greater than the mean response size to allow effective caching
	proxy_buffering on;
	proxy_buffers 32 16k;
	proxy_buffer_size 32k;
	proxy_busy_buffers_size 64k;
	proxy_temp_file_write_size 64k;

	# Caching
	# Note that routes with Set-Cookie will not be cached so we do not need to be specific here
	add_header Cache-Control "max-age=0, private, must-revalidate";
	proxy_cache cache_name;
	proxy_cache_key "$scheme$host$request_uri";
	proxy_cache_valid 200 302 303 30s;
	proxy_cache_valid 404 30s;
	proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
	add_header X-Cache $upstream_cache_status;

	# Pass scheme and remote host IP to proxied application
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Scheme $scheme;
	proxy_set_header Referer $http_referer;
	proxy_set_header Host $http_host;
	}
	}
	}