forked from decred/dcrdata
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsample-nginx.conf
More file actions
179 lines (148 loc) · 8.04 KB
/
sample-nginx.conf
File metadata and controls
179 lines (148 loc) · 8.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
user www-data; # some systems use "nginx" as the user
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
}
http {
# Setup the disk-backed cache:
# sudo mkdir /var/cache/nginx
# sudo chown www-data:adm /var/cache/nginx # match the user defined at the top
# sudo chmod 750 /var/cache/nginx
# Name the cache "dcrcache":
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=dcrcache:10m;
proxy_read_timeout 3600s;
log_format main '$remote_addr - $remote_user [$time_local] $host "$request" '
'$status $body_bytes_sent (comp. $gzip_ratio) "Ref: $http_referer" '
'"$http_user_agent" "XFF: $http_x_forwarded_for" "RemoteAddr: $remote_addr"';
access_log /var/log/nginx/access.log main;
error_log /var/log/nginx/error.log;
# Do not include the exact nginx version in the Server header. With extra
# modules or a commercial nginx subscription, the Server header may be set
# to anything.
# https://stackoverflow.com/questions/246227/how-do-you-change-the-server-header-returned-by-nginx
server_tokens off;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Ensure ngx_http_realip_module is available
set_real_ip_from 127.0.0.1/32;
# If you are behind a NAT router, specify LAN
#set_real_ip_from 10.24.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
gzip on;
# configure the rest in the server sections
server {
listen 80 default_server;
server_name _;
# permanent redirect with 308 to keep method
return 308 https://$host$request_uri;
}
# per-IP rate limiting (3 requests / second on average)
limit_req_zone $binary_remote_addr zone=dcrdata:10m rate=3r/s;
limit_req_log_level error;
limit_req_status 429;
server {
listen 443 http2 ssl default_server;
server_name _;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 5;
gzip_min_length 256;
gzip_types text/css text/* text/javascript application/x-javascript application/json
application/xml application/atom+xml application/xaml+xml application/javascript
application/x-font-ttf application/font-woff font/collection font/opentype
font/otf font/ttf image/bmp image/svg+xml image/x-icon application/octet-stream;
add_header Referrer-Policy "same-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://*.dcrdata.org; manifest-src 'self'" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-XSS-Protection "1; mode=block" always;
# ssl on; # may be needed for older nginx where not in listen
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-ARIA256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096
# Be careful with Strict-Transport-Security. Be sure you know what it means.
add_header Strict-Transport-Security max-age=15552001;
# Serve static resources directly.
location ~ ^/(css|js|images|fonts|dist|index.js) {
gzip_static on; # use .gz files for pre-compressed data
root /opt/dcrdata/public;
# Set the Cache-Control and Expires headers for the static assets.
expires modified 2d;
}
# Everything else is proxied to dcrdata.
location / {
# apply rate limiting
limit_req zone=dcrdata burst=16;
# proxy with WebSocket upgrade support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
# Use the Server header set by the backend.
# https://stackoverflow.com/questions/246227/how-do-you-change-the-server-header-returned-by-nginx
proxy_pass_header Server;
# When the realip module is working, it sets the $remote_addr
# variable to the client IP picked out of the X-Forwarded-For
# header. Set this to X-Real-IP for the backend.
proxy_set_header X-Real-IP $remote_addr;
# Append the real client IP to any existing X-Forwarded-For.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:7777;
proxy_http_version 1.1;
# NOTE: To proxy to a non-root path like
# proxy_pass http://127.0.0.1:7777/insight";
# such as when defining
# server_name insight.domain.tld;
# it is necessary to pass the original request URI to the backend.
# Certain endpoints look for the X-Original-Request-URI request
# header. Without this, the request URI in the backend will contain
# the "/insight/" prefix and certain generated links and redirects
# may be incorrect. This is only needed for endpoints using the
# OriginalRequestURI middleware.
proxy_set_header X-Original-Request-URI $request_uri;
# When using X-Original-Request-URI along with proxy_cache, the
# cache key should use $request_uri instead of the dynamic $uri.
proxy_cache_key $scheme$proxy_host$request_uri;
# Alternatively, use $host:
# proxy_cache_key $scheme$host$uri$is_args$args;
# setup proxy cache to use "dcrcache" cache
proxy_cache dcrcache;
proxy_connect_timeout 20s;
proxy_cache_valid 200 400 404 422 20s;
proxy_cache_use_stale updating;
# proxy_cache_lock prevents multiple identical requests from hitting
# the backend at the same time.
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_lock_timeout 60s;
error_page 501 502 503 504 /500.html;
}
# consider defining a "location /api {" block with:
# error_page 502 504 =503 @api_error_page;
location @api_error_page {
return 503;
}
# Be sure to create the 500.html file if error_page uses it.
location = /500.html {
root /var/www/html/fallback;
}
error_page 429 /rate_limiting.html;
location = /rate_limiting.html {
add_header Retry-After 30;
root /var/www/html/fallback;
}
}
}