github.com/masterhung0112/hk_server/v5@v5.0.0-20220302090640-ec71aef15e1c/deploy/nginx/conf.d-ecs/default.conf

github.com/masterhung0112/hk_server/v5@v5.0.0-20220302090640-ec71aef15e1c/deploy/nginx/conf.d-ecs/default.conf (about)

     1  # proxy cache
     2  proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=mattermost_cache:10m max_size=3g inactive=120m use_temp_path=off;
     3  
     4  upstream backend {
     5    server localhost:8065;
     6    keepalive 64;
     7  }
     8  
     9  upstream frontend {
    10    server localhost:3000;
    11    keepalive 64;
    12  }
    13  
    14  server {
    15    server_name _;
    16    listen *:80 default_server;
    17    listen [::]:80 default_server;
    18  
    19  #   # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    20  #   return 301 https://$host$request_uri;
    21  # }
    22  
    23  # server {
    24  #   server_name _;
    25  #   listen 443 ssl http2 default_server;
    26  #   listen [::]:443 ssl http2 default_server;
    27  
    28    # logging
    29    access_log /var/log/nginx/hk.access.log;
    30    error_log /var/log/nginx/hk.error.log warn;
    31  
    32    ## ssl
    33    # ssl_dhparam /config/dhparams4096.pem;
    34    # ssl_session_timeout 1d;
    35    # ssl_session_cache shared:MozSSL:10m;
    36    # ssl_session_tickets off;
    37  
    38    # intermediate configuration
    39    # ssl_protocols TLSv1.2 TLSv1.3;
    40    # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    41    # ssl_prefer_server_ciphers off;
    42  
    43    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    44    # ssl_certificate /config/cert.pem;
    45    # ssl_certificate_key /config/key.pem;
    46  
    47    # enable TLSv1.3's 0-RTT. Use $ssl_early_data when reverse proxying to prevent replay attacks.
    48    # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
    49    # ssl_early_data on;
    50  
    51    # OCSP stapling
    52    # ssl_stapling on;
    53    # ssl_stapling_verify on;
    54    #resolver 1.1.1.1;
    55  
    56    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    57    #ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    58  
    59    ## security headers
    60    # https://securityheaders.com/
    61    # https://scotthelme.co.uk/tag/security-headers/
    62    add_header X-Frame-Options "SAMEORIGIN" always;
    63    add_header X-XSS-Protection "1; mode=block" always;
    64    add_header X-Content-Type-Options "nosniff" always;
    65    add_header Referrer-Policy no-referrer;
    66    add_header Strict-Transport-Security "max-age=63072000" always;
    67    add_header Permissions-Policy "interest-cohort=()";
    68  
    69    ## locations
    70    # ACME-challenge
    71    location ^~ /.well-known {
    72      default_type "text/plain";
    73      root /user/share/nginx/html;
    74      allow all;
    75    }
    76  
    77    # disable Google bots from indexing this site
    78    # location = /robots.txt {
    79    #   add_header Content-Type text/plain;
    80    #   return 200 "User-agent: *\Disallow: /\n";
    81    # }
    82  
    83    location ~ /api/v[0-9]+/(users/)?websocket$ {
    84      proxy_set_header Upgrade $http_upgrade;
    85      proxy_set_header Connection "upgrade";
    86      client_max_body_size 50M;
    87      proxy_set_header Host $http_host;
    88      proxy_set_header X-Real-IP $remote_addr;
    89      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    90      proxy_set_header X-Forwarded-Proto $scheme;
    91      proxy_set_header X-Frame-Options SAMEORIGIN;
    92      proxy_set_header Early-Data $ssl_early_data;
    93      proxy_buffers 256 16k;
    94      proxy_buffer_size 16k;
    95      client_body_timeout 60;
    96      send_timeout 300;
    97      lingering_timeout 5;
    98      proxy_connect_timeout 90;
    99      proxy_send_timeout 300;
   100      proxy_read_timeout 90s;
   101      proxy_http_version 1.1;
   102      proxy_pass http://backend;
   103    }
   104  
   105    location ~ /api/v[0-9]+/ {
   106      client_max_body_size 50M;
   107      proxy_set_header Connection "";
   108      proxy_set_header Host $http_host;
   109      proxy_set_header X-Real-IP $remote_addr;
   110      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   111      proxy_set_header X-Forwarded-Proto $scheme;
   112      proxy_set_header X-Frame-Options SAMEORIGIN;
   113      proxy_set_header Early-Data $ssl_early_data;
   114      proxy_buffers 256 16k;
   115      proxy_buffer_size 16k;
   116      proxy_read_timeout 600s;
   117      proxy_cache mattermost_cache;
   118      proxy_cache_revalidate on;
   119      proxy_cache_min_uses 2;
   120      proxy_cache_use_stale timeout;
   121      proxy_cache_lock on;
   122      proxy_http_version 1.1;
   123      proxy_pass http://backend;
   124    }
   125  
   126    location / {
   127      client_max_body_size 50M;
   128      proxy_set_header Connection "";
   129      proxy_set_header Host $http_host;
   130      proxy_set_header X-Real-IP $remote_addr;
   131      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   132      proxy_set_header X-Forwarded-Proto $scheme;
   133      proxy_set_header X-Frame-Options SAMEORIGIN;
   134      proxy_set_header Early-Data $ssl_early_data;
   135      proxy_buffers 256 16k;
   136      proxy_buffer_size 16k;
   137      proxy_read_timeout 600s;
   138      proxy_cache mattermost_cache;
   139      proxy_cache_revalidate on;
   140      proxy_cache_min_uses 2;
   141      proxy_cache_use_stale timeout;
   142      proxy_cache_lock on;
   143      proxy_http_version 1.1;
   144      proxy_pass http://frontend;
   145    }
   146  }