This repository has been archived by the owner on Aug 18, 2019. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
/
nginx.conf
100 lines (86 loc) · 3.32 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
# This config file is an example of your overall server config.
# It includes sweetroll-site.nginx.conf.
#
# To run a test nginx instance with this config in development, run something like this:
# $ openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj "/CN=localhost" -keyout key.pem -out cert.pem -days 365
# $ sudo nginx -p `pwd` -c nginx.conf
daemon off;
error_log /dev/stderr notice;
pid .nginx.pid;
# When actually in production, enable the brotli compression module in addition to gzip
# (on FreeBSD, rebuild nginx from ports with the BROTLI option, and use these paths):
# load_module "/usr/local/libexec/nginx/ngx_http_brotli_filter_module.so";
# load_module "/usr/local/libexec/nginx/ngx_http_brotli_static_module.so";
pcre_jit on;
events {
worker_connections 2048;
}
http {
access_log /dev/stdout;
include /usr/local/etc/nginx/mime.types; # In production, probably just mime.types without the path, since the nginx root will be the default
default_type application/octet-stream;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
# File serving tweaks. Read the docs for nginx and your OS!
# Basically if you enable everything, nginx will pick the ~best available option.
# (not everything is always available, e.g. sendfile doesn't work over TLS unless you're Netflix)
# directio 1m;
# aio on;
# sendfile on;
gzip on;
gzip_min_length 1024;
gzip_comp_level 6;
gzip_proxied any;
gzip_vary on;
gzip_static on;
gzip_types text/html text/plain text/css application/javascript application/json image/svg+xml application/xml+rss;
# Don't forget to enable this if you load the brotli module!
# brotli on;
# brotli_min_length 1024;
# brotli_comp_level 5;
# brotli_static on;
# brotli_types text/html text/plain text/css application/javascript application/json image/svg+xml application/xml+rss;
# In production, you can use UNIX domain sockets instead of TCP ports in the upstreams:
upstream sweetroll-be {
server localhost:3000;
keepalive 5; # https://ma.ttias.be/enable-keepalive-connections-in-nginx-upstream-proxy-configurations/
}
upstream sweetroll-fe {
server localhost:3300;
keepalive 5;
}
upstream sweetroll-mu {
server localhost:3333;
keepalive 5;
}
limit_req_zone $binary_remote_addr zone=be:512k rate=1r/s;
limit_req_zone $binary_remote_addr zone=live:2m rate=1r/s;
server {
# listen 80 default_server;
listen 443 ssl http2 default_server; # accept_filter=dataready
listen [::]:443 ssl http2 default_server; # accept_filter=dataready
ssl_certificate cert.pem;
ssl_certificate_key key.pem;
#ssl_dhparam dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AESGCM:EECDH+AES256:EDH+AES';
ssl_ecdh_curve X25519:secp384r1;
ssl_buffer_size 4k;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 30m;
ssl_session_tickets off;
# In production, use OCSP stapling:
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver [2001:4860:4860::8888] [2001:4860:4860::8844] 216.146.35.35 216.146.36.36 valid=120s;
# resolver_timeout 8s;
# Short timeouts for development
proxy_connect_timeout 5s;
proxy_read_timeout 10s;
# In production, the absolute path to the parent of sweetroll-fe/dist:
root "sweetroll-fe";
include sweetroll-site.nginx.conf;
}
}