Nginx conf with automatically renewed ssl certificate (cerbot) for NodeJS or React app (or any static files

nginx-conf

# first install certbot and then run this command on your server
# certbot certonly --authenticator standalone --pre-hook "nginx -s stop" --post-hook "nginx"
# this will stop for a few seconds your nginx server and generate your Let's Encrypt ssl certificates, and configure
# cron so that certificates are renewed automatically \o/

# now create your nginx conf for your nodejs app :

# on port 80 (http), redirect to httpS (443)
server {
	if ($host = www.your-domain.com) {
		return 301 https://$host$request_uri;
	}
	listen 80;
	server_name www.your-domain.com;
	return 404; # managed by Certbot
}

server {
	server_name www.your-domain.com;
	location / {
    # serve the node process running on port 3000
		proxy_pass http://localhost:3000;
	}
  # use certificates managed by certbot 
	listen 443 ssl; # managed by Certbot
	ssl_certificate /etc/letsencrypt/live/www.your-domain.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/www.your-domain.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

get the incoming connection ip not the local one

location / {
	proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Cache the ssl handshake

location / {
	proxy_pass http://localhost:3000;
        proxy_cache_bypass $http_upgrade;
}

Add http2 outside but keep http 1.1 between the node app and nginx. Require => nginx 1.10.0 for http2 support

listen 443 ssl http2;

location / {
	proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
}

WebSocket support

location / {
	proxy_pass http://localhost:3000;
        proxy_set_header Upgrade $http_upgrade;
  }

load balancing

http {
    upstream nodeapp {
        server srv1.example.com;
        server srv2.example.com;
        server srv3.example.com;
    }

server {
    listen 443 ssl;

    location / {
        proxy_pass http://nodeapp;
    }
}

gzip

server {
    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;

    gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
    # text/html is always compressed by gzip module
}

cache expires

# Expire rules for static content

# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  expires -1;
}

# Feed
location ~* \.(?:rss|atom)$ {
  expires 1h;
  add_header Cache-Control "public";
}

# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
}

# CSS and Javascript (require some hashed file name !)
location ~* \.(?:css|js)$ {
  expires 1y;
  access_log off;
  add_header Cache-Control "public";
}

@Goopil thx !