Skip to content

feat: Self-hosting nginx config improvements #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Nov 11, 2025
Merged

feat: Self-hosting nginx config improvements #688

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c309123
chore: removed the /kms unused path
nimish-ks Nov 11, 2025
4539944
feat: misc changes
nimish-ks Nov 11, 2025
2d5775b
refactor: clean up nginx configuration
nimish-ks Nov 11, 2025
3234ec6
Update nginx/default.conf
nimish-ks Nov 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 24 additions & 21 deletions nginx/default.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,32 @@
# --- Cloudflare IP header forwarding ---
# map $http_cf_connecting_ip $client_real_ip {
# default $remote_addr;
# "~." $http_cf_connecting_ip;
# }

server {
listen 80;
listen 443 ssl http2;

listen 443 ssl;
http2 on;
# Remove Nginx version from response headers
server_tokens off;

# TLS config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce strong ciphers, might break older clients. Adjust as needed.
ssl_prefer_server_ciphers on;

# TLS certificates
# Self-signed. Adjust as needed.
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;

# Route API traffic to backend - https://example.com/service/ -> http://backend:8000/
location /service/ {
rewrite ^/service/(.*) /$1 break;

# If using Cloudflare - use this to forward the real client IP
# proxy_set_header X-Real-IP $client_real_ip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Expand All @@ -24,28 +43,12 @@ server {
proxy_busy_buffers_size 128k;
}

location /kms/ {
rewrite ^/kms/(.*) /kms/$1 break;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;

proxy_pass http://backend:8000;
proxy_redirect off;

proxy_cookie_path / "/; HttpOnly; SameSite=strict";

proxy_buffers 16 32k;
proxy_buffer_size 64k;
proxy_busy_buffers_size 128k;
}

# Route traffic to frontend - https://example.com/ -> http://frontend:3000/
location / {
include /etc/nginx/mime.types;

# If using Cloudflare - use this to forward the real client IP
# proxy_set_header X-Real-IP $client_real_ip;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

Expand Down