FiestaBoard/nginx.https.conf at main · Fiestaboard/FiestaBoard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# HTTPS-enabled nginx configuration (Beta).
#
# Functionally identical to nginx.conf, with TLS termination on port 3000
# using a self-signed certificate generated at container startup by
# entrypoint.sh / src/system/https_certs.py. Selected by the entrypoint
# when the user has enabled "HTTPS (Beta)".
#
# Cert files are mounted from /app/data/certs/ so they persist across
# container rebuilds via the existing ./data bind mount.
pid /var/lib/nginx/nginx.pid;
events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Temp paths for appuser
    client_body_temp_path /var/lib/nginx/body 1 2;
    proxy_temp_path /var/lib/nginx/tmp;

    # Logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Performance optimizations
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript
               application/json application/javascript application/xml+rss
               application/rss+xml font/truetype font/opentype
               application/vnd.ms-fontobject image/svg+xml;

    server {
        listen 3000 ssl;
        listen [::]:3000 ssl;
        http2 on;
        server_name _;

        ssl_certificate     /app/data/certs/fiestaboard.crt;
        ssl_certificate_key /app/data/certs/fiestaboard.key;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;
        ssl_session_cache shared:SSL:5m;
        ssl_session_timeout 1d;
        ssl_session_tickets off;

        include /etc/nginx/fiestaboard/*.conf;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

        proxy_intercept_errors on;
        error_page 502 503 504 /starting.html;

        location = /starting.html {
            root /app/static;
            internal;
        }

        location /api/mcp {
            error_page 502 503 504 = @api_starting;
            proxy_pass http://127.0.0.1:8000;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_connect_timeout 10s;
            proxy_send_timeout 30s;
            proxy_read_timeout 60s;
        }

        location /api/ {
            error_page 502 503 504 = @api_starting;
            rewrite ^/api(.*)$ $1 break;
            proxy_pass http://127.0.0.1:8000;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_connect_timeout 10s;
            proxy_send_timeout 30s;
            proxy_read_timeout 60s;
        }

        location @api_starting {
            default_type application/json;
            charset utf-8;
            return 503 '{"detail":"Service is starting up, please try again shortly"}';
        }

        location /assets/ {
            root /app/web/build/client;
            expires 1y;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
            include /etc/nginx/fiestaboard/location-root/*.conf;
        }

        location = /sw.js {
            root /app/web/build/client;
            add_header Cache-Control "no-cache, no-store, must-revalidate";
            expires off;
            try_files $uri =404;
        }
        location = /registerSW.js {
            root /app/web/build/client;
            add_header Cache-Control "no-cache, no-store, must-revalidate";
            expires off;
            try_files $uri =404;
        }
        location = /manifest.json {
            root /app/web/build/client;
            add_header Cache-Control "public, max-age=3600";
            try_files $uri =404;
        }

        location ~* \.(jpg|jpeg|png|gif|ico|svg|webp)$ {
            root /app/web/build/client;
            expires 30d;
            add_header Cache-Control "public, immutable";
            try_files $uri =404;
        }

        # SPA history fallback. See nginx.conf for the architecture.
        location / {
            root /app/web/build/client;
            try_files $uri $uri/ /index.html;
            include /etc/nginx/fiestaboard/location-root/*.conf;
        }
    }
}