Richard Bergsma
67d976ac0f
- Updated docker-compose.yml to define services for the Astro SSR application and Nginx reverse proxy, including health checks and environment variables. - Modified Dockerfile to implement a multi-stage build process, optimizing dependency installation and production setup. - Enhanced nginx.conf with improved proxy settings, security headers, and caching strategies for static assets, ensuring better performance and security.
137 lines
3.8 KiB
Nginx Configuration File
137 lines
3.8 KiB
Nginx Configuration File
worker_processes auto;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_disable "msie6";
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_min_length 1000;
|
|
gzip_types
|
|
text/plain
|
|
text/css
|
|
application/json
|
|
application/javascript
|
|
application/x-javascript
|
|
text/xml
|
|
application/xml
|
|
application/xml+rss
|
|
text/javascript
|
|
image/svg+xml
|
|
font/woff2;
|
|
|
|
# Upstream to Node.js server
|
|
upstream nodejs_backend {
|
|
server web:3000;
|
|
keepalive 64;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name 365devnet.eu www.365devnet.eu;
|
|
|
|
# Security headers (applied at proxy level)
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), interest-cohort=()" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
|
|
# Client body size limit
|
|
client_max_body_size 10M;
|
|
|
|
# Proxy settings for Node.js
|
|
location / {
|
|
proxy_pass http://nodejs_backend;
|
|
proxy_http_version 1.1;
|
|
|
|
# WebSocket support (for HMR if needed)
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# Standard proxy headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
|
|
# Buffering
|
|
proxy_buffering on;
|
|
proxy_buffer_size 4k;
|
|
proxy_buffers 8 4k;
|
|
proxy_busy_buffers_size 8k;
|
|
}
|
|
|
|
# Cache static assets aggressively
|
|
location ~* ^/_astro/.+\.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
proxy_pass http://nodejs_backend;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
|
|
# Cache for 1 year (immutable)
|
|
expires 365d;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# Block hidden and sensitive files
|
|
location ~ /\.(?!well-known).* {
|
|
deny all;
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
proxy_pass http://nodejs_backend;
|
|
access_log off;
|
|
}
|
|
}
|
|
|
|
# SSL configuration (uncomment when you have certificates)
|
|
# server {
|
|
# listen 443 ssl http2;
|
|
# server_name 365devnet.eu www.365devnet.eu;
|
|
#
|
|
# ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
# ssl_certificate_key /etc/nginx/ssl/key.pem;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
# ssl_prefer_server_ciphers on;
|
|
#
|
|
# # Rest of the configuration same as port 80
|
|
# # ... (copy from above)
|
|
# }
|
|
|
|
# Redirect www to non-www (optional)
|
|
# server {
|
|
# listen 80;
|
|
# server_name www.365devnet.eu;
|
|
# return 301 http://365devnet.eu$request_uri;
|
|
# }
|
|
}
|