Instantly share code, notes, and snippets.

Embed
What would you like to do?
Nginx conf with automatically renewed ssl certificate (cerbot) for NodeJS or React app (or any static files
# first install certbot and then run this command on your server
# certbot certonly --authenticator standalone --pre-hook "nginx -s stop" --post-hook "nginx"
# this will stop for a few seconds your nginx server and generate your Let's Encrypt ssl certificates, and configure
# cron so that certificates are renewed automatically \o/
# now create your nginx conf for your nodejs app :
# on port 80 (http), redirect to httpS (443)
server {
if ($host = www.your-domain.com) {
return 301 https://$host$request_uri;
}
listen 80;
server_name www.your-domain.com;
return 404; # managed by Certbot
}
server {
server_name www.your-domain.com;
location / {
# serve the node process running on port 3000
proxy_pass http://localhost:3000;
}
# use certificates managed by certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/www.your-domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/www.your-domain.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

get the incoming connection ip not the local one

location / {
	proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

Cache the ssl handshake

location / {
	proxy_pass http://localhost:3000;
        proxy_cache_bypass $http_upgrade;
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

Add http2 outside but keep http 1.1 between the node app and nginx. Require => nginx 1.10.0 for http2 support

listen 443 ssl http2;

location / {
	proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

WebSocket support

location / {
	proxy_pass http://localhost:3000;
        proxy_set_header Upgrade $http_upgrade;
  }
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

load balancing

http {
    upstream nodeapp {
        server srv1.example.com;
        server srv2.example.com;
        server srv3.example.com;
    }

server {
    listen 443 ssl;

    location / {
        proxy_pass http://nodeapp;
    }
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

gzip

server {
    gzip on;
    gzip_comp_level    5;
    gzip_min_length    256;
    gzip_proxied       any;
    gzip_vary          on;

    gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
    # text/html is always compressed by gzip module
}
@Goopil

This comment has been minimized.

Copy link

Goopil commented May 18, 2018

cache expires

# Expire rules for static content

# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
  expires -1;
}

# Feed
location ~* \.(?:rss|atom)$ {
  expires 1h;
  add_header Cache-Control "public";
}

# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
}

# CSS and Javascript (require some hashed file name !)
location ~* \.(?:css|js)$ {
  expires 1y;
  access_log off;
  add_header Cache-Control "public";
}
@yann-yinn

This comment has been minimized.

Copy link
Owner

yann-yinn commented May 29, 2018

@Goopil thx !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment