-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathnginx.conf
117 lines (93 loc) · 3.82 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
# enumerate all the workers here
upstream frontends {
server 127.0.0.1:8000;
server 127.0.0.1:8001;
server 127.0.0.1:8002;
server 127.0.0.1:8003;
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log /var/log/nginx/access.log;
# this is required to get nginx running on digital ocean
types_hash_max_size 2048;
keepalive_timeout 65;
proxy_read_timeout 600;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
gzip on;
gzip_min_length 1000;
gzip_proxied any;
gzip_types text/plain text/css text/xml
application/x-javascript application/xml
application/atom+xml text/javascript;
# Only retry if there was a communication error, not a timeout
# on the server (to avoid propagating "queries of death"
# to all frontends)
proxy_next_upstream error;
# rate limit requests - the 10m is max size of memory allowed for tracking IP addresses
# the format is {number_of_requests}r/{unit_time} where the time is s for seconds or m for minutes
# see https://www.nginx.com/blog/rate-limiting-nginx/
limit_req_zone $binary_remote_addr zone=myzonekey:10m rate=1r/s;
server {
# block other domains from pointing at your server
# if ($host != www.example.com) {
# this is a special nginx code to just drop the connection and not send anything back
# return 444;
# }
# server_name www.example.com;
# allow up to burst requests without delay before enforcing the limit per ip set above
limit_req zone=myzonekey burst=10 nodelay;
# NOTE if you use Let's Encrypt you have to comment out some of the auto generated lines to support HTTP2
# see https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-with-http-2-support-on-ubuntu-18-04
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
# you can create a self signed certificate to test ssl locally - afterwards enable the lines below
# https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-18-04
# ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
# ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# the max-age value here is 1 year in seconds
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Permissions-Policy "interest-cohort=()" always;
add_header Referrer-Policy "origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
location /static/ {
# root /TODO;
rewrite ^/static/(.*)$ /$1 break;
if ($query_string) {
expires max;
}
}
location / {
proxy_pass http://frontends;
}
}
server {
# redirect http to https
# if ($host = www.example.com) {
# return 301 https://$host$request_uri;
# }
listen 80;
# server_name www.example.com;
return 404;
}
}