jgeiger · December 24, 2021 06:23
diff --git a/nginx.conf b/nginx.conf
 user  www-data;
 worker_processes  2;

 worker_rlimit_nofile 8192;

 events {
  worker_connections 4096;
  multi_accept on;
  use epoll;
 }

 http {
  server_tokens off;

  include       mime.types;
  default_type  application/octet-stream;

  charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;

  keepalive_timeout  65;

  gzip on;
  gzip_static on;
  gzip_proxied any;
  gzip_buffers 16 8k;
  gzip_min_length 256;
  gzip_comp_level 5;
  gzip_vary on;
  gzip_types
    application/atom+xml
    application/javascript
    application/x-javascript
    application/json
    application/rss+xml
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/svg+xml
    image/x-icon
    text/css
    text/xml
    text/js
    text/javascript
    text/plain
    text/x-component;

  upstream api {
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;
    server 127.0.0.1:3003;
    server 127.0.0.1:3004;
    server 127.0.0.1:3005;
    hash   $cookie_stream_id;
  }

  server {
    listen [::]:80;
    listen 80;
    server_name localhost;

 # Path for static files
    root /home/sites/nexia_diagnostics/current/adapters/web_server/public;

 #Specify a charset
    charset utf-8;

    location / {
      try_files $uri @app;
    }

    location @app {
 # magic for eventsource proxying
 # http://zerolith.com/sinatra-streaming-nginx-proxy.html
 # http://stackoverflow.com/questions/13672743/eventsource-server-sent-events-through-nginx

      if ($http_x_forwarded_proto != 'https') {
        rewrite ^ https://$host$request_uri? permanent;
      }

      proxy_set_header Connection '';
      proxy_http_version 1.1;
      chunked_transfer_encoding off;
      proxy_buffering off;

      proxy_set_header  X-Real-IP  $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto $scheme;
      proxy_set_header Host $host:$server_port;
      proxy_redirect off;

      proxy_pass http://api;
    }

 # This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
 #
 # The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
 # and will also know to immediately send a 404 if a file is missing on disk, and so on.
 #
 # However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
 #
 # In the below configuration, inactive files are released from the cache after 20 seconds, whereas
 # active (recently requested) files are re-validated every 30 seconds.
 #
 # Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
 #
 # A maximum of the 1000 most recently used file descriptors can be cached at any time.
 #
 # Production servers with stable file collections will definitely want to enable the cache.
    open_file_cache          max=1000 inactive=20s;
    open_file_cache_valid    30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;
 # Cross domain AJAX requests

 # **Security Warning**
 # Do not use this without understanding the consequences.
 # This will permit access from any other website.
 #
 # add_header "Access-Control-Allow-Origin" "*";

 # Instead of using this file, consider using a specific rule such as:
 #
 # Allow access based on [sub]domain:
 #    add_header "Access-Control-Allow-Origin" "subdomain.example.com";
 # OR
    add_header "Access-Control-Allow-Origin" "*.mynexia.com";

 # The X-Frame-Options header indicates whether a browser should be allowed
 # to render a page within a frame or iframe.
    add_header X-Frame-Options SAMEORIGIN;

 # MIME type sniffing security protection
 #There are very few edge cases where you wouldn't want this enabled.
    add_header X-Content-Type-Options nosniff;

 # The X-XSS-Protection header is used by Internet Explorer version 8+
 # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
    add_header X-XSS-Protection "1; mode=block";

 # with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
 # you can tell the browser that it can only download content from the domains you explicitly allow
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
 # Prevent mobile network providers from modifying your site
 #
 # (!) If you are using `ngx_pagespeed`, please note that setting
 # the `Cache-Control: no-transform` response header will prevent
 # `PageSpeed` from rewriting `HTML` files, and, if
 # `pagespeed DisableRewriteOnNoTransform off` is not used, also
 # from rewriting other resources.
 #
 # https://developers.google.com/speed/pagespeed/module/configuration#notransform

    add_header "Cache-Control" "no-transform";

 # Force the latest IE version
    add_header "X-UA-Compatible" "IE=Edge";
 # Built-in filename-based cache busting

 # https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403
 # This will route all requests for /css/style.20120716.css to /css/style.css
 # Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting
 # This is not included by default, because it'd be better if you use the build
 # script to manage the file names.
    location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ {
      try_files $uri $1.$2;
    }

 # Cross domain webfont access
    location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
      include h5bp/directive-only/cross-domain-insecure.conf;

 # Also, set cache rules for webfonts.
 #
 # See http://wiki.nginx.org/HttpCoreModule#location
 # And https://github.com/h5bp/server-configs/issues/85
 # And https://github.com/h5bp/server-configs/issues/86
      expires 1M;
      access_log off;
      add_header Cache-Control "public";
    }
 # Expire rules for static content

 # No default expire rule. This config mirrors that of apache as outlined in the
 # html5-boilerplate .htaccess file. However, nginx applies rules by location,
 # the apache rules are defined by type. A concequence of this difference is that
 # if you use no file extension in the url and serve html, with apache you get an
 # expire time of 0s, with nginx you'd get an expire header of one month in the
 # future (if the default expire rule is 1 month). Therefore, do not use a
 # default expire rule with nginx unless your site is completely static

 # Feed
    location ~* \.(?:rss|atom)$ {
      expires 1h;
      add_header Cache-Control "public";
    }

 # Media: images, icons, video, audio, HTC
    location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
      expires 1M;
      access_log off;
      add_header Cache-Control "public";
    }

 # CSS and Javascript
    location ~* \.(?:css|js)$ {
      expires 1y;
      access_log off;
      add_header Cache-Control "public";
    }

 # Prevent clients from accessing hidden files (starting with a dot)
 # This is particularly important if you store .htpasswd files in the site hierarchy
    location ~* (?:^|/)\. {
      deny all;
    }

 # Prevent clients from accessing to backup/config/source files
    location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
      deny all;
    }
  }
 }
	user www-data;
	worker_processes 2;

	worker_rlimit_nofile 8192;

	events {
	worker_connections 4096;
	multi_accept on;
	use epoll;
	}

	http {
	server_tokens off;

	include mime.types;
	default_type application/octet-stream;

	charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	keepalive_timeout 65;

	gzip on;
	gzip_static on;
	gzip_proxied any;
	gzip_buffers 16 8k;
	gzip_min_length 256;
	gzip_comp_level 5;
	gzip_vary on;
	gzip_types
	application/atom+xml
	application/javascript
	application/x-javascript
	application/json
	application/rss+xml
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/svg+xml
	image/x-icon
	text/css
	text/xml
	text/js
	text/javascript
	text/plain
	text/x-component;

	upstream api {
	server 127.0.0.1:3001;
	server 127.0.0.1:3002;
	server 127.0.0.1:3003;
	server 127.0.0.1:3004;
	server 127.0.0.1:3005;
	hash $cookie_stream_id;
	}

	server {
	listen [::]:80;
	listen 80;
	server_name localhost;

	# Path for static files
	root /home/sites/nexia_diagnostics/current/adapters/web_server/public;

	#Specify a charset
	charset utf-8;

	location / {
	try_files $uri @app;
	}

	location @app {
	# magic for eventsource proxying
	# http://zerolith.com/sinatra-streaming-nginx-proxy.html
	# http://stackoverflow.com/questions/13672743/eventsource-server-sent-events-through-nginx

	if ($http_x_forwarded_proto != 'https') {
	rewrite ^ https://$host$request_uri? permanent;
	}

	proxy_set_header Connection '';
	proxy_http_version 1.1;
	chunked_transfer_encoding off;
	proxy_buffering off;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $host:$server_port;
	proxy_redirect off;

	proxy_pass http://api;
	}

	# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
	#
	# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
	# and will also know to immediately send a 404 if a file is missing on disk, and so on.
	#
	# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
	#
	# In the below configuration, inactive files are released from the cache after 20 seconds, whereas
	# active (recently requested) files are re-validated every 30 seconds.
	#
	# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
	#
	# A maximum of the 1000 most recently used file descriptors can be cached at any time.
	#
	# Production servers with stable file collections will definitely want to enable the cache.
	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;
	# Cross domain AJAX requests

	# Security Warning
	# Do not use this without understanding the consequences.
	# This will permit access from any other website.
	#
	# add_header "Access-Control-Allow-Origin" "*";

	# Instead of using this file, consider using a specific rule such as:
	#
	# Allow access based on [sub]domain:
	# add_header "Access-Control-Allow-Origin" "subdomain.example.com";
	# OR
	add_header "Access-Control-Allow-Origin" "*.mynexia.com";

	# The X-Frame-Options header indicates whether a browser should be allowed
	# to render a page within a frame or iframe.
	add_header X-Frame-Options SAMEORIGIN;

	# MIME type sniffing security protection
	#There are very few edge cases where you wouldn't want this enabled.
	add_header X-Content-Type-Options nosniff;

	# The X-XSS-Protection header is used by Internet Explorer version 8+
	# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# CSP can be quite difficult to configure, and cause real issues if you get it wrong
	# There is website that helps you generate a policy here http://cspisawesome.com/
	# add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;";
	# Prevent mobile network providers from modifying your site
	#
	# (!) If you are using `ngx_pagespeed`, please note that setting
	# the `Cache-Control: no-transform` response header will prevent
	# `PageSpeed` from rewriting `HTML` files, and, if
	# `pagespeed DisableRewriteOnNoTransform off` is not used, also
	# from rewriting other resources.
	#
	# https://developers.google.com/speed/pagespeed/module/configuration#notransform

	add_header "Cache-Control" "no-transform";

	# Force the latest IE version
	add_header "X-UA-Compatible" "IE=Edge";
	# Built-in filename-based cache busting

	# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403
	# This will route all requests for /css/style.20120716.css to /css/style.css
	# Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting
	# This is not included by default, because it'd be better if you use the build
	# script to manage the file names.
	location ~* (.+)\.(?:\d+)\.(js\|css\|png\|jpg\|jpeg\|gif)$ {
	try_files $uri $1.$2;
	}

	# Cross domain webfont access
	location ~* \.(?:ttf\|ttc\|otf\|eot\|woff\|woff2)$ {
	include h5bp/directive-only/cross-domain-insecure.conf;

	# Also, set cache rules for webfonts.
	#
	# See http://wiki.nginx.org/HttpCoreModule#location
	# And https://github.com/h5bp/server-configs/issues/85
	# And https://github.com/h5bp/server-configs/issues/86
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}
	# Expire rules for static content

	# No default expire rule. This config mirrors that of apache as outlined in the
	# html5-boilerplate .htaccess file. However, nginx applies rules by location,
	# the apache rules are defined by type. A concequence of this difference is that
	# if you use no file extension in the url and serve html, with apache you get an
	# expire time of 0s, with nginx you'd get an expire header of one month in the
	# future (if the default expire rule is 1 month). Therefore, do not use a
	# default expire rule with nginx unless your site is completely static

	# Feed
	location ~* \.(?:rss\|atom)$ {
	expires 1h;
	add_header Cache-Control "public";
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1y;
	access_log off;
	add_header Cache-Control "public";
	}

	# Prevent clients from accessing hidden files (starting with a dot)
	# This is particularly important if you store .htpasswd files in the site hierarchy
	location ~* (?:^\|/)\. {
	deny all;
	}

	# Prevent clients from accessing to backup/config/source files
	location ~* (?:\.(?:bak\|config\|sql\|fla\|psd\|ini\|log\|sh\|inc\|swp\|dist)\|~)$ {
	deny all;
	}
	}
	}