04n0 · March 12, 2018 20:14
diff --git a/nginx.conf.j2 b/nginx.conf.j2
 user nginx;
 pid /var/run/nginx.pid;
 worker_processes {{ ansible_processor_vcpus }};
 worker_rlimit_nofile 409600;

 events {
  worker_connections {{ nginx_max_conns }};
  multi_accept on;
 }

 http {
  charset utf-8;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  server_tokens off;
  log_not_found off;
  types_hash_max_size 2048;
  client_max_body_size {{ nginx_client_max_body_size }};

  # mime
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  # logging
  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log warn;

  # load configs
  # include /etc/nginx/conf.d/*.conf;

  # proxy configuration
  proxy_redirect off;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
  proxy_http_version 1.1;
  proxy_connect_timeout 90;
  proxy_send_timeout 90;
  proxy_read_timeout 90;
  proxy_buffers 32 4k;

  # workshop config
  server {
    listen {{ nginx_http_port}};
  
    server_name {{ ansible_default_ipv4.address }};
    root /usr/share/nginx/html;
  
    index index.html;
  
    # $uri, index.html
    location / {
      try_files $uri $uri/ /index.html;
    }
    
    location ~ / {
      proxy_pass http://localhost:{{ app_http_port }};
    }
  
    # security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    
    # . files
    location ~ /\. {
      deny all;
    }
    
    # assets, media
    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
      expires 7d;
      access_log off;
    }
    
    # svg, fonts
    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
      add_header Access-Control-Allow-Origin "*";
      expires 7d;
      access_log off;
    }
    
    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
  }

 }
	user nginx;
	pid /var/run/nginx.pid;
	worker_processes {{ ansible_processor_vcpus }};
	worker_rlimit_nofile 409600;

	events {
	worker_connections {{ nginx_max_conns }};
	multi_accept on;
	}

	http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size {{ nginx_client_max_body_size }};

	# mime
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# load configs
	# include /etc/nginx/conf.d/*.conf;

	# proxy configuration
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
	proxy_http_version 1.1;
	proxy_connect_timeout 90;
	proxy_send_timeout 90;
	proxy_read_timeout 90;
	proxy_buffers 32 4k;

	# workshop config
	server {
	listen {{ nginx_http_port}};

	server_name {{ ansible_default_ipv4.address }};
	root /usr/share/nginx/html;

	index index.html;

	# $uri, index.html
	location / {
	try_files $uri $uri/ /index.html;
	}

	location ~ / {
	proxy_pass http://localhost:{{ app_http_port }};
	}

	# security headers
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;

	# . files
	location ~ /\. {
	deny all;
	}

	# assets, media
	location ~* \.(?:css(\.map)?\|js(\.map)?\|jpe?g\|png\|gif\|ico\|cur\|heic\|webp\|tiff?\|mp3\|m4a\|aac\|ogg\|midi?\|wav\|mp4\|mov\|webm\|mpe?g\|avi\|ogv\|flv\|wmv)$ {
	expires 7d;
	access_log off;
	}

	# svg, fonts
	location ~* \.(?:svgz?\|ttf\|ttc\|otf\|eot\|woff\|woff2)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
	}

	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
	}

	}