Created
May 17, 2018 07:40
-
-
Save yann-yinn/ac68d308b2069982f898736a3d76d2f0 to your computer and use it in GitHub Desktop.
Nginx conf with automatically renewed ssl certificate (cerbot) for NodeJS or React app (or any static files
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # first install certbot and then run this command on your server | |
| # certbot certonly --authenticator standalone --pre-hook "nginx -s stop" --post-hook "nginx" | |
| # this will stop for a few seconds your nginx server and generate your Let's Encrypt ssl certificates, and configure | |
| # cron so that certificates are renewed automatically \o/ | |
| # now create your nginx conf for your nodejs app : | |
| # on port 80 (http), redirect to httpS (443) | |
| server { | |
| if ($host = www.your-domain.com) { | |
| return 301 https://$host$request_uri; | |
| } | |
| listen 80; | |
| server_name www.your-domain.com; | |
| return 404; # managed by Certbot | |
| } | |
| server { | |
| server_name www.your-domain.com; | |
| location / { | |
| # serve the node process running on port 3000 | |
| proxy_pass http://localhost:3000; | |
| } | |
| # use certificates managed by certbot | |
| listen 443 ssl; # managed by Certbot | |
| ssl_certificate /etc/letsencrypt/live/www.your-domain.com/fullchain.pem; # managed by Certbot | |
| ssl_certificate_key /etc/letsencrypt/live/www.your-domain.com/privkey.pem; # managed by Certbot | |
| include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot | |
| ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot | |
| } | |
Cache the ssl handshake
location / {
proxy_pass http://localhost:3000;
proxy_cache_bypass $http_upgrade;
}
Add http2 outside but keep http 1.1 between the node app and nginx. Require => nginx 1.10.0 for http2 support
listen 443 ssl http2;
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
}
WebSocket support
location / {
proxy_pass http://localhost:3000;
proxy_set_header Upgrade $http_upgrade;
}
load balancing
http {
upstream nodeapp {
server srv1.example.com;
server srv2.example.com;
server srv3.example.com;
}
server {
listen 443 ssl;
location / {
proxy_pass http://nodeapp;
}
}
gzip
server {
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/bmp
image/svg+xml
image/x-icon
text/cache-manifest
text/css
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# text/html is always compressed by gzip module
}
cache expires
# Expire rules for static content
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
}
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 1M;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript (require some hashed file name !)
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
@Goopil thx !
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
get the incoming connection ip not the local one