105 lines
3.1 KiB
Plaintext
105 lines
3.1 KiB
Plaintext
# HTTP server - redirect to HTTPS (uncomment in production with SSL)
|
|
# server {
|
|
# listen 80;
|
|
# server_name your-domain.com;
|
|
# return 301 https://$server_name$request_uri;
|
|
# }
|
|
|
|
# Main server configuration
|
|
server {
|
|
listen 80;
|
|
# listen 443 ssl http2; # Uncomment for HTTPS
|
|
server_name localhost;
|
|
|
|
# SSL configuration (uncomment in production)
|
|
# ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
|
# ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
|
# ssl_session_timeout 1d;
|
|
# ssl_session_cache shared:SSL:50m;
|
|
# ssl_session_tickets off;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
|
|
# ssl_prefer_server_ciphers off;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# Client body size limit
|
|
client_max_body_size 10M;
|
|
|
|
# API endpoints
|
|
location /api/ {
|
|
# Rate limiting
|
|
limit_req zone=api_limit burst=20 nodelay;
|
|
limit_conn conn_limit 10;
|
|
|
|
# Proxy settings
|
|
proxy_pass http://api_servers;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
proxy_pass http://api_servers;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# API documentation
|
|
location /api-docs {
|
|
proxy_pass http://api_servers;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Static file uploads
|
|
location /uploads/ {
|
|
proxy_pass http://api_servers;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Cache static files
|
|
proxy_cache_valid 200 1d;
|
|
expires 1d;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# Deny access to hidden files
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Error pages
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
internal;
|
|
}
|
|
}
|