# /etc/nginx/nginx.conf user nginx; worker_processes 1; daemon off; # Enables the use of JIT for regular expressions to speed-up their processing. pcre_jit on; # Configures default error logger. error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; # Includes files with directives to load dynamic modules. include /etc/nginx/modules/*.conf; events { # The maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; } http { index index.html index.htm; server { server_name _; listen 80; listen [::]:80; location / { rewrite ^ https://$host$request_uri? permanent; } } {{ if service "api" }} upstream api_hosts { {{range service "api"}} server {{.Address}}:{{.Port}}; {{end}} }{{ end }} server { listen 443 ssl; listen [::]:443 ssl; root /opt/app/package/build; ssl_certificate /etc/nginx/certs/server/server.crt; ssl_certificate_key /etc/nginx/certs/server/server.key; ssl_client_certificate /etc/nginx/certs/ca/ca.crt; ssl_verify_client on; ssl_session_timeout 1d; ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; location / { try_files $uri /index.html; } {{ if service "api" }} location /api { rewrite /api/(.*) /$1 break; proxy_pass http://api_hosts; proxy_redirect off; proxy_set_header Host $http_host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Dn $ssl_client_s_dn; }{{ end }} } # Includes mapping of file name extensions to MIME types of responses # and defines the default type. include /etc/nginx/mime.types; default_type application/octet-stream; # Name servers used to resolve names of upstream servers into addresses. # It's also needed when using tcpsocket and udpsocket in Lua modules. #resolver 208.67.222.222 208.67.220.220; # Don't tell nginx version to clients. server_tokens off; # Specifies the maximum accepted body size of a client request, as # indicated by the request header Content-Length. If the stated content # length is greater than this size, then the client receives the HTTP # error code 413. Set to 0 to disable. client_max_body_size 1m; # Timeout for keep-alive connections. Server will close connections after # this time. keepalive_timeout 65; # Sendfile copies data between one FD and other from within the kernel, # which is more efficient than read() + write(). sendfile on; # Don't buffer data-sends (disable Nagle algorithm). # Good for sending frequent small bursts of data in real time. tcp_nodelay on; # Causes nginx to attempt to send its HTTP response head in one packet, # instead of using partial frames. #tcp_nopush on; # Path of the file with Diffie-Hellman parameters for EDH ciphers. #ssl_dhparam /etc/ssl/nginx/dh2048.pem; # Specifies that our cipher suits should be preferred over client ciphers. ssl_prefer_server_ciphers on; # Enables a shared SSL cache with size that can hold around 8000 sessions. ssl_session_cache shared:SSL:2m; # Enable gzipping of responses. #gzip on; # Set the Vary HTTP header as defined in the RFC 2616. gzip_vary on; # Enable checking the existence of precompressed files. #gzip_static on; # Specifies the main log format. log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Sets the path, format, and configuration for a buffered log write. access_log /var/log/nginx/access.log main; # Includes virtual hosts configs. # include /etc/nginx/conf.d/*.conf; }