forked from Seneca-CDOT/telescope
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
160 lines (134 loc) · 5.08 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# Let nginx pick how many worker processes to run (based on CPU cores)
worker_processes auto;
events {
# Number of simultaneous client connections we can handle per worker
worker_connections 1024;
# Reduce CPU load (requires Linux 2.6 or later)
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
# Use utf-8 for the charset on our content-type headers
charset utf-8;
# Improve the efficiency of writes
sendfile on;
# levels - Defines hierarchy levels
# keys_zone - Name for these settings
# inactive - Cached data that are not accessed during the time specified by the inactive parameter get removed from the cache regardless of their freshness
# max_size - When this size is exceeded, it removes the least recently used data
# use_temp_path - Use a temp directory before moving all cached files into the cache directory
proxy_cache_path /tmp/nginx levels=1:2 keys_zone=telescope_cache:10m inactive=60m max_size=100M use_temp_path=off;
proxy_cache_key "$scheme$request_method$host$request_uri";
# Enable gzip compression (level 6) for text file types over 256 bytes.
gzip on;
gzip_min_length 256;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_vary on;
gzip_http_version 1.1;
gzip_proxied any;
gzip_types
text/css
text/plain
text/cache-manifest
text/javascript
application/javascript
application/json
application/ld+json
application/manifest+json
application/x-javascript
application/xml
application/xml+rss
application/xhtml+xml
application/x-font-ttf
application/x-font-opentype
application/vnd.ms-fontobject
image/svg+xml
image/x-icon
application/rss+xml
application/atom_xml;
server {
listen 80 default_server;
server_name _;
return 307 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name telescope.cdot.systems;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_certificate /etc/letsencrypt/live/telescope.cdot.systems/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/telescope.cdot.systems/privkey.pem;
# Following SSL configs are from https://ssl-config.mozilla.org/ (Intermediate)
# Types + size of caches storing session params
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
# HSTS
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling we can verify this by using the site
# https://www.digicert.com/kb/ssl-support/nginx-enable-ocsp-stapling-on-server.htm
ssl_stapling on;
ssl_stapling_verify on;
# Verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/telescope.cdot.systems/chain.pem;
# Let's Encrypt route
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# Non-cached routes /admin /user /health /auth
location ~ ^/(admin|user|health|auth) {
proxy_cache_bypass 1;
proxy_pass http://telescope_production:3000;
}
# Cache content served by /legacy forever
location /legacy {
expires max;
add_header Cache-Control "public, max-age=31536000, immutable";
proxy_pass http://telescope_production:3000;
}
# Static content
location / {
# Directory from which we serve Gatsby's static content
root /var/www/data;
# Specify cache behaviour, see docs: https://www.gatsbyjs.org/docs/caching.
# 1. Don't cache HTML
location ~* \.(?:html)$ {
add_header Cache-Control "public, max-age=0";
}
# 2. Don't cache /page-data (including app-data.json)
location /page-data {
add_header Cache-Control "public, max-age=0";
}
# 3. Don't cache the service worker /sw.js script, see:
location = /sw.js {
add_header Cache-Control "public, max-age=0";
}
# 4. Files in icons/ and static/ can be cached forever
location ~ ^/(static|icons) {
expires max;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# 5. Cache js and css forever
location ~* \.(?:js|css)$ {
expires max;
add_header Cache-Control "public, max-age=31536000, immutable";
}
# Try serving static content, and if not found continue with @proxy
try_files $uri $uri/ @proxy;
}
location @proxy {
proxy_cache telescope_cache;
# Defines conditions under which the response will not be taken from a cache
# In this case, cache will be ignored when requested from client
proxy_cache_bypass $http_cache_control;
# Sets caching time for different response codes
proxy_cache_valid 200 307 10m;
proxy_cache_valid 404 1m;
# Disables processing of certain response header fields from the proxied server
proxy_ignore_headers "Cache-Control" "Expires";
# Added 'X-Proxy-Cache' header to be able to monitor caching
add_header X-Proxy-Cache $upstream_cache_status;
proxy_pass http://telescope_production:3000;
}
}
}