diff --git a/README.md b/README.md index 9ac636d..2e6b608 100644 --- a/README.md +++ b/README.md @@ -69,6 +69,7 @@ for possible values. The default value is `warn`. | BEACH_NGINX_CUSTOM_METRICS_SOURCE_PATH | string | /metrics | Path where metrics are located | | BEACH_NGINX_CUSTOM_METRICS_TARGET_PORT | integer | 8082 | Port at which Nginx should listen to provide the metrics for scraping | | BEACH_NGINX_MODE | string | Flow | Either "Flow" or "Static"; this variable is going to be renamed in the future | +| BEACH_STATIC_RESOURCES_LIFETIME | string | 30d | Expiration time for static resources; examples: "3600s" or "7d" or "max" | FLOW_HTTP_TRUSTED_PROXIES | string | 10.0.0.0/8 | Nginx passes FLOW_HTTP_TRUSTED_PROXIES to the virtual host using the value of this variable | ## Security aspects diff --git a/root-files/opt/flownative/lib/nginx-legacy.sh b/root-files/opt/flownative/lib/nginx-legacy.sh index d127749..231459e 100644 --- a/root-files/opt/flownative/lib/nginx-legacy.sh +++ b/root-files/opt/flownative/lib/nginx-legacy.sh @@ -116,9 +116,16 @@ server { log_not_found off; } - location = /favicon.ico { + location = /site.webmanifest { log_not_found off; access_log off; + expires ${NGINX_STATIC_FILES_LIFETIME}; + } + + location ~ ^/(android-chrome-.+|apple-touch-icon|favicon.*|mstile-.+|safari-pinned-tab).(png|svg|jpg|ico)$ { + log_not_found off; + access_log off; + expires ${NGINX_STATIC_FILES_LIFETIME}; } EOM @@ -184,7 +191,7 @@ EOM # pass persistent resource requests to GCS location ~* "^${BEACH_PERSISTENT_RESOURCES_BASE_PATH}([a-f0-9]{40})/" { resolver 8.8.8.8; - expires 3600; + expires ${NGINX_STATIC_FILES_LIFETIME}; proxy_set_header Authorization ""; add_header Via 'Beach Asset Proxy'; ${addHeaderStrictTransportSecurity} @@ -193,9 +200,9 @@ EOM EOM elif [ -n "${BEACH_PERSISTENT_RESOURCES_FALLBACK_BASE_URI}" ]; then cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM - location ~* ^/_Resources/Persistent/(.*)$ { + location ~* "^${BEACH_PERSISTENT_RESOURCES_BASE_PATH}(.*)$ { access_log off; - expires 3600; + expires ${NGINX_STATIC_FILES_LIFETIME}; add_header Via '\$hostname' always; ${addHeaderStrictTransportSecurity} try_files \$uri @fallback; @@ -209,7 +216,16 @@ EOM proxy_pass \$assetUri; } EOM - + else + cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM + location ~* ^/_Resources/Persistent/(.*)$ { + access_log off; + expires ${NGINX_STATIC_FILES_LIFETIME}; + add_header Via '\$hostname' always; + ${addHeaderStrictTransportSecurity} + try_files \$uri -404; + } +EOM fi cat >>"${NGINX_CONF_PATH}/sites-enabled/site.conf" <<-EOM @@ -221,9 +237,9 @@ EOM # for all static resources location ~ ^/_Resources/Static/ { - add_header Via '\$hostname' always; + add_header X-Static-Resource '\$hostname' always; access_log off; - expires 3600; + expires ${NGINX_STATIC_FILES_LIFETIME}; } } EOM diff --git a/root-files/opt/flownative/lib/nginx.sh b/root-files/opt/flownative/lib/nginx.sh index f412869..7716b33 100755 --- a/root-files/opt/flownative/lib/nginx.sh +++ b/root-files/opt/flownative/lib/nginx.sh @@ -38,6 +38,8 @@ export NGINX_CACHE_BACKGROUND_UPDATE="${NGINX_CACHE_BACKGROUND_UPDATE:-off}" export NGINX_CUSTOM_ERROR_PAGE_CODES="${NGINX_CUSTOM_ERROR_PAGE_CODES:-500 501 502 503}" export NGINX_CUSTOM_ERROR_PAGE_TARGET="${NGINX_CUSTOM_ERROR_PAGE_TARGET:-}" +export NGINX_STATIC_FILES_LIFETIME=${NGINX_STATIC_FILES_LIFETIME:-30d} + export PATH="${PATH}:${NGINX_BASE_PATH}/bin" EOF }