NGINX configuration

The below is a sample nginx.conf configuration that can be used as a starting point for a custom configuration.

nginx.conf

worker_processes                4;

error_log                       /var/log/nginx/error.log;

events {
    worker_connections          1024;
}

http {
    include                     mime.types;
    default_type                application/octet-stream;
    sendfile                    on;

    # No NGINX version information
    server_tokens               off;
    
    # No PHP (version) information
    fastcgi_hide_header         X-Powered-By;

    # SSL
    ssl_protocols               TLSv1.3;
    ssl_ciphers                 ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers   off;

    # Compression
    gzip                        on;
    gzip_vary                   on;
    gzip_min_length             1024;
    gzip_proxied                expired no-cache no-store private auth;
    gzip_types                  text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml application/json;
    gzip_disable                "MSIE [1-6]\.";

    # FASTCGI
    fastcgi_keep_conn           off;
    fastcgi_connect_timeout     5s;
    fastcgi_send_timeout        60s;
    fastcgi_read_timeout        3600s;

    # POST
    client_max_body_size        256m;

    # Headers
    add_header                  X-Content-Type-Options nosniff;
    add_header                  Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline'; trusted-types angular dompurify 'allow-duplicates';";
    add_header                  X-XSS-Protection "1; mode=block";
    add_header                  X-Frame-Options "SAMEORIGIN";
    add_header                  Referrer-Policy "strict-origin";
    add_header                  Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    include                     /etc/nginx/configs/nginx.*.conf;
}

nginx.http.conf

# HTTP server
server {
    listen          80;
    server_name     localhost;

    include         /etc/nginx/configs/local.conf;
}

nginx.http2https.conf

server {    
    listen          80;
    server_name     localhost;
    return          301 https://localhost$request_uri;
}

nginx.https.conf

server {    
    listen                      443 ssl;
    server_name                 localhost;

    ssl_certificate             /etc/nginx/ssl/simian_suite_portal.crt;
    ssl_certificate_key         /etc/nginx/ssl/simian_suite_portal.key;

    ssl_session_cache           shared:SSL:1m;
    ssl_session_timeout         5m;

    ssl_ciphers                 HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    include                     /etc/nginx/configs/local.conf;
}

local.conf

root                    /var/simian_portal/public;

# cache static frontend version content "forever" (rather one year) 
location ~* ^/apps/browser-v[0-9\.]+(\-rc\d+)?-prod/.+\.(js|css|jpg|jpeg|png|gif|ico|swf|woff|woff2)$ {
    expires             1y;
    etag                off;
    if_modified_since   off;
    add_header          Pragma "public";
    add_header          Cache-Control "public, no-transform";
}

# cache static portal content for one day 
location ~* ^/(libs|doc|css|js)/.+\.(html|svg|js|css|jpg|jpeg|png|gif|ico|swf|woff|woff2)$ {
    expires             1d;
    etag                off;
    if_modified_since   off;
    add_header          Pragma "public";
    add_header          Cache-Control "public, no-transform";
}

location / {
    index               index.html index.php;
    try_files           $uri $uri/ /index.php$is_args$args;
}

location ~ \.php$ {
    if ($request_uri ~* "^(.*/)index\.php$") {
        return 301 $1;
    }

    fastcgi_pass        unix:/run/docker.sock;
    include             fastcgi_params;
    fastcgi_index       index.php;
    fastcgi_param       SCRIPT_FILENAME $document_root$fastcgi_script_name;
}

# redirect server error pages to the static page /50x.html
error_page              500 502 503 504 /50x.html;
location = /50x.html {
    root                html;
}

# deny access to .htaccess files, if Apache's document root concurs with nginx's one
location ~ /\.ht {
    deny                all;
}