-
Notifications
You must be signed in to change notification settings - Fork 3
/
nginx.production.conf
183 lines (157 loc) · 7.14 KB
/
nginx.production.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
user nginx;
worker_processes auto;
events {
worker_connections 1024;
}
# Symlinked to stdout in the nginx docker image
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
http {
# Enables or disables emitting nginx version on error pages and in the
# “Server” response header field.
# Default: on
server_tokens off;
# Specify MIME types for files.
include /etc/nginx/mime.types;
# Default: text/plain
default_type application/octet-stream;
# Sets the $remote_addr to the real IP not the load balancer
set_real_ip_from 10.0.0.0; # Active load balancer
real_ip_header X-Forwarded-For;
real_ip_recursive on;
charset_types
text/css
text/plain
text/vnd.wap.wml
application/javascript
application/json
application/rss+xml
application/xml
font/woff
font/woff2
image/png;
# Include $request_time and $upstream_response_time within default format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" '
'request_time_s=$request_time '
'upstream_response_time_s=$upstream_response_time';
# Log access to this file
# This is only used when you don't override it on a server{} level
# Default: logs/access.log combined
# Symlinked to stdout in the nginx docker image
access_log /var/log/nginx/access.log main;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
keepalive_timeout 240s;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
# Default: off
sendfile on;
# Don't send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out.
# Default: off
tcp_nopush on;
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about
# 75% reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 3;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header.
# Default: off
gzip_proxied expired no-cache no-store private auth;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipd version.
# Default: off
gzip_vary on;
gzip_types
# text/html is always compressed by HttpGzipModule
# woff/woff2 are already compressed file formats
text/css
text/plain
text/xml
text/vnd.wap.wml
application/javascript
application/json
application/rss+xml
application/xml
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
image/png;
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
ssl_prefer_server_ciphers on;
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 24h;
# The SSL certificate files
ssl_certificate /run/secrets/go_https_crt;
ssl_certificate_key /run/secrets/go_https_key;
# Expires mappings
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
font/woff max;
font/woff2 max;
application/javascript max;
~image/ max;
}
# When searching for a virtual server by name, if name matches more than one
# of the specified variants, e.g. both wildcard name and regular expression
# match, the first matching variant will be chosen, in the following order
# of precedence
# 1. exact name
# 2. longest wildcard name starting with an asterisk, e.g. “*.example.org”
# 3. longest wildcard name ending with an asterisk, e.g. “mail.*”
# 4. first matching regular expression
server {
listen [::]:80;
listen 80;
listen [::]:443 ssl http2;
listen 443 ssl http2;
# avoiding http://go/ -> https://go/ -> https://go.company.com/ chain
server_name ~^(?P<name>^\w+\b)(\.example\.com)?$;
# .company.com sometimes needded for valid certificates
return 301 https://$name.company.com$request_uri;
}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
# Listen on valid ssl certificate addresses
server_name *.company.com;
expires $expires;
location /api/ {
include uwsgi_params;
uwsgi_pass api:5001;
}
location / {
root /usr/share/nginx/html;
# This should be turned on if you are going to have pre-compressed copies (.gz) of
# static files available.
gzip_static on;
try_files $uri $uri/ @uwsgi;
}
location @uwsgi {
include uwsgi_params;
uwsgi_pass service:5002;
}
}
}