nginx.conf

# This configuration was created and is maintained by Mark Robinson (https://github.com/robinm8)

worker_processes  auto;
pcre_jit on;
user  nginx;

events {
    worker_connections  2048;
    multi_accept        on;
    use                 epoll;
}

http {

    upstream core {
        server core:4100;
        keepalive 64;
    }

    upstream users {
        server users:4400;
        keepalive 64;
    }

    proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;

    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
    limit_conn limit_per_ip 128;
    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
    limit_req zone=allips burst=150 nodelay;

    server {
        listen 80 default_server;

        charset utf-8;

        # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl http2 deferred default_server;

        charset utf-8;

        ssl_certificate_key /etc/ssl/yacs/privkey.pem;
        ssl_certificate     /etc/ssl/yacs/fullchain.pem;
        ssl_trusted_certificate /etc/ssl/yacs/chain.pem;

        ssl_session_tickets off;
        ssl_session_cache shared:SSL:32m;
        ssl_buffer_size 8k;
        ssl_session_timeout  60m;

        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

        ssl_prefer_server_ciphers  on;
        ssl_ecdh_curve secp384r1;

        # ssl_dhparam /etc/ssl/yacs/dhparam.pem;

        location @app {
            proxy_pass https://core;
            proxy_set_header       Host $host;

            proxy_cache            STATIC;
            proxy_cache_valid      200  1d;
            proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
            proxy_cache_lock on;
            proxy_cache_revalidate on;
            proxy_cache_min_uses 3;

            # add_header X-Cache-Status $upstream_cache_status;

            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options DENY;
            # add_header X-Content-Type-Options nosniff;
            # add_header X-XSS-Protection "1; mode=block";
            add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://js-agent.newrelic.com https://bam.nr-data.net; style-src 'self'; img-src 'self' *.githubusercontent.com https://github.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com data:";

            proxy_set_header Host $http_host;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-Client-DN      $ssl_client_s_dn;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 1800;
            proxy_connect_timeout 1800;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_buffering off;
            proxy_redirect off;
        }

        location @app_users {
            proxy_pass https://users;
            # proxy_set_header       Host $host;

            proxy_cache            off;
            # proxy_cache_valid      200  1d;
            # proxy_cache_use_stale  error timeout invalid_header updating http_500 http_502 http_503 http_504;
            # proxy_cache_lock on;
            # proxy_cache_revalidate on;
            # proxy_cache_min_uses 3;

            # add_header X-Cache-Status $upstream_cache_status;

            add_header Access-Control-Allow-Origin *;
            add_header X-Frame-Options DENY;
            # add_header X-Content-Type-Options nosniff;
            # add_header X-XSS-Protection "1; mode=block";
            add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com https://js-agent.newrelic.com https://bam.nr-data.net; style-src 'self' https://cdnjs.cloudflare.com https://fonts.googleapis.com 'unsafe-inline' 'unsafe-eval'; img-src 'self' *.githubusercontent.com https://github.com https://www.google-analytics.com data:; font-src 'self' https://fonts.gstatic.com https://fonts.googleapis.com 'unsafe-inline' 'unsafe-eval' data:";

            proxy_set_header Host $http_host;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-Client-DN      $ssl_client_s_dn;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_read_timeout 1800;
            proxy_connect_timeout 1800;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            proxy_buffering off;
            proxy_redirect off;
        }

        location ~ /\. {
            deny all;
        }

        location ~* ^.+\.(rb|log)$ {
            deny all;
        }

        location / {
            expires max;
            add_header Cache-Control "public";
            add_header X-Cache-Status $upstream_cache_status;

            gzip_static on;

            root   /usr/src/app/dist-web/public;
            try_files $uri$args $uri$args/ /index.html;
            index index.html;
        }

        location /api/ {
            gzip_static on;

            try_files $uri @app;
        }

        location /users/ {
            gzip_static on;

            try_files $uri @app_users;
        }
    }

    access_log off;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    aio threads;
    keepalive_requests 200;
    keepalive_timeout 65;
    keepalive_disable msie6;
    reset_timedout_connection on;

    client_body_buffer_size 10K;
    client_header_buffer_size 1k;
    client_max_body_size 8m;
    large_client_header_buffers 2 1k;

    server_tokens off;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;

    default_type  application/octet-stream;
    include     /etc/nginx/mime.types;

    open_file_cache max=10000 inactive=30s;
    open_file_cache_valid    60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;

    gzip on;
    gzip_static on;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_buffers 4 8k;
    gzip_proxied no-cache no-store private expired auth;
    gzip_types  text/plain text/css image/png image/gif image/jpeg application/x-javascript text/xml application/xml application/xml+rss text/javascript;
    gzip_vary  on;
    gzip_http_version 1.1;
    gzip_disable "MSIE [1-6]\.(?!.*SV1)";

    # brotli on;
    # brotli_static on;
    # brotli_buffers 16 8k;
    # brotli_comp_level 6;
    # brotli_types
    #     text/css
    #     text/javascript
    #     text/xml
    #     text/plain
    #     text/x-component
    #     application/javascript
    #     application/x-javascript
    #     application/json
    #     application/xml
    #     application/rss+xml
    #     application/vnd.ms-fontobject
    #     font/truetype
    #     font/opentype
    #     image/svg+xml;
}