Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add nginx files for deployment behind servermanager
- Loading branch information
1 parent
60d9439
commit 3721fcc
Showing
5 changed files
with
106 additions
and
26 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,66 @@ | ||
# [1] SSL Configuration according to Mozilla guidelines | ||
# https://wiki.mozilla.org/Security/Server_Side_TLS | ||
# https://mozilla.github.io/server-side-tls/ssl-config-generator/ | ||
# [2] Security Procedures according to OWASP | ||
# https://www.owasp.org/index.php/SCG_WS_nginx#SSL_Module | ||
# [3] https://unix.stackexchange.com/questions/94104/real-world-use-of-tcp-defer-accept | ||
# [4] OCSP fetch OCSP records from URL in ssl_certificate and cache them | ||
# https://www.digitalocean.com/community/tutorials/how-to-configure-ocsp-stapling-on-apache-and-nginx | ||
# [5] https://www.digitalocean.com/community/tutorials/understanding-nginx-http-proxying-load-balancing-buffering-and-caching | ||
# [6] http://reinout.vanrees.org/weblog/2015/11/19/nginx-proxy-gzip.html | ||
# [7] https://ma.ttias.be/enable-keepalive-connections-in-nginx-upstream-proxy-configurations/ | ||
|
||
# This file is used by ServerManager to pass requests to SupermarKit container | ||
# over the shared bridge networks | ||
|
||
upstream summonerexpert { | ||
# [7] The keepalive parameter sets the maximum number of idle keepalive connections | ||
# to upstream servers that are preserved in the cache of each worker process. When | ||
# this number is exceeded, the least recently used connections are closed. | ||
keepalive 100; | ||
|
||
# Alias used over the bridge network with ServerManager to pass to supermarkit | ||
# container | ||
server SUMMONEREXPERT:80; | ||
} | ||
|
||
# [1] HTTP Configuration | ||
server { | ||
server_name api.summonerexpert.com; | ||
|
||
# [3] Use deferred for performance optimization | ||
listen 80; | ||
|
||
# Enable IPv6 | ||
listen [::]:80; | ||
|
||
# [2] HTTP Secure Headers | ||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; | ||
add_header X-Frame-Options SAMEORIGIN; | ||
add_header X-Content-Type-Options nosniff; | ||
|
||
# [2] | ||
server_tokens off; | ||
|
||
location / { | ||
# [5] Pass a host to upstream server equal to the request line if present or | ||
# client request host header | ||
proxy_set_header Host $host; | ||
|
||
# [5] Must tell upstream server that the request was http or https | ||
# if not present, then if rails force_ssl is on it will keep sending | ||
# location header and instruct the browser to redirect to https | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
|
||
# [6] The gzip and proxy modules use different http module versions. In | ||
# order for gzip compresion to work you need to set the proxy module | ||
# http version to 1.1 same as the gzip module | ||
proxy_http_version 1.1; | ||
|
||
# [7] Remove the Connection header if the client sends it, | ||
# it could be "close" to close a keepalive connection | ||
proxy_set_header Connection ""; | ||
|
||
proxy_pass http://summonerexpert; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
upstream summonerexpert { | ||
# Each service gets an entry in /etc/hosts with its name. | ||
# the app service is used to run the app and starts the server on port 3000 | ||
server app:3000; | ||
} | ||
|
||
server { | ||
listen 80 default_server deferred; | ||
listen [::]:80 default_server deferred; | ||
|
||
root /app/public; | ||
access_log /etc/nginx/log/access.log; | ||
error_log /etc/nginx/log/error.log info; | ||
|
||
location @summonerexpert { | ||
proxy_set_header Host $host; | ||
proxy_set_header X-Forwarded-Proto $scheme; | ||
|
||
proxy_pass http://summonerexpert; | ||
} | ||
} |