Nginx

Nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler.

  • nginx:alpine
# /etc/nginx/nginx.conf

# Start NGINX configuration
worker_processes  auto;

events {
    use                 epoll;
    multi_accept        on;
    worker_connections  1024;
}

http {
    charset       utf-8;
    sendfile      on;
    tcp_nopush    on;
    tcp_nodelay   on;
    server_tokens off;
    log_not_found off;

    # Bucket size for server names hash
    server_names_hash_bucket_size 64;

    # MIME
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # Logging
    error_log  /var/log/nginx/error.log crit;
    access_log off;

    # Timeouts
    send_timeout              2;
    keepalive_timeout         30;
    keepalive_requests        100;
    client_body_timeout       10;
    reset_timedout_connection on;

    # Max body size
    client_max_body_size 4m;

    # Cache
    open_file_cache          max=200000 inactive=20s;
    open_file_cache_valid    30s;
    open_file_cache_errors   on;
    open_file_cache_min_uses 2;

    # Gzip
    gzip            on;
    gzip_vary       on;
    gzip_disable    "msie6";
    gzip_proxied    any;
    gzip_comp_level 6;

    # File types for compress via gzip
    gzip_types  text/plain text/css application/json application/x-javascript text/xml
                application/xml application/xml+rss text/javascript application/javascript
                image/svg+xml image/gif image/png image/jpeg image/x-icon image/webp;

    # SSL
    ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_protocols             TLSv1.2 TLSv1.3;
    ssl_session_cache         shared:SSL:10m;
    ssl_session_timeout       1d;
    ssl_session_tickets       off;
    ssl_prefer_server_ciphers off;

    # SSL root cert
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    # Security headers
    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Load configs
    include /usr/share/nginx/modules/*.conf;
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

# /etc/nginx/conf.d/default.conf

# Config for project backend.
server {
    listen      80;
    server_name .${APP_DOMAIN};

    # Proxy settings.
    location / {
        resolver                            127.0.0.11;
        proxy_pass                          http://apiserver:5000/;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
    }
}