Skip to content

Instantly share code, notes, and snippets.

@brickpop

brickpop/nginx-proxy.conf

Last active August 14, 2019 12:43
Show Gist options
  • Save brickpop/2d958583c2ce9d8587ed94f51d1db34c to your computer and use it in GitHub Desktop.
Save brickpop/2d958583c2ce9d8587ed94f51d1db34c to your computer and use it in GitHub Desktop.
Download ZIP
Example of an nginx virtual host with a selective cached reverse proxy
Raw
nginx-proxy.conf
# TO DO
# - Replace '9000' with your local port
#
# - Run certbot to geherate a certificate for domain-name.com and uncoment the HTTPS section below
# $ certbot certonly --webroot -w /var/www/certbot -d www.domain-name.com -d domain-name.com
upstream app-server {
ip_hash;
server: localhost:9000;
# server: localhost:9001; # used if clustering is available
}
# HTTPS
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name www.domain-name.com domain-name.com;
ssl_certificate /etc/letsencrypt/live/sandramiralles.shop/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sandramiralles.shop/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
gzip on;
gzip_proxied any;
gzip_types
text/css
text/javascript
text/xml
text/plain
image/svg+xml
application/javascript
application/x-javascript
application/json;
# Custom error pages
# error_page 502 = /502.html;
# error_page 501 503 504 505 = /505.html;
#
# location /502.html {
# root /usr/share/nginx/html;
# }
# location /505.html {
# root /usr/share/nginx/html;
# }
# Longer cache
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 6d;
access_log off;
add_header Cache-Control "public";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Shorter cache
location ~* \.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# No cache
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# HTTP
server {
listen 80;
listen [::]:80;
server_name domain-name.com www.domain-name.com;
location /.well-known {
root /var/www/certbot;
}
return 301 https://www.domain-name.com$request_uri;
}
Raw
with-nginx-plugin.txt
# sudo apt install python-certbot-nginx
# certbot --nginx
upstream app-server {
ip_hash;
server localhost:10001;
# server localhost:9001; # used if clustering is available
}
server {
listen 80;
listen [::]:80;
server_name domain.com www.domain.com;
error_page 502 = /502.html;
error_page 501 503 504 505 = /505.html;
gzip on;
gzip_proxied any;
gzip_types
text/css
text/javascript
text/xml
text/plain
image/svg+xml
application/javascript
application/x-javascript
application/json;
location /assets {
alias /var/www/assets;
}
# Longer cache
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 6d;
access_log off;
add_header Cache-Control "public";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Shorter cache
location ~* \.(?:css|js)$ {
expires 2d;
access_log off;
add_header Cache-Control "public";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# No cache
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarder-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://app-server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /502.html {
root /usr/share/nginx/html;
}
location /505.html {
root /usr/share/nginx/html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:le_nginx_SSL:1m; # managed by Certbot
ssl_session_timeout 1440m; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # managed by Certbot
ssl_prefer_server_ciphers on; # managed by Certbot
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 EDH-RSA-DES-CBC3-SHA"; # managed by Certbot
if ($scheme != "https") {
return 301 https://$host$request_uri;
} # managed by Certbot
# Redirect non-https traffic to https
# if ($scheme != "https") {
# return 301 https://$host$request_uri;
# } # managed by Certbot
ssl_dhparam /etc/ssl/dhparams.pem;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment