NGINX configuration
The below is a sample nginx.conf configuration that can be used as a starting point for a custom configuration.
nginx.conf
worker_processes 4;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
# No NGINX version information
server_tokens off;
# No PHP (version) information
fastcgi_hide_header X-Powered-By;
# SSL
ssl_protocols TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
# Compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/javascript application/xml application/json;
gzip_disable "MSIE [1-6]\.";
# FASTCGI
fastcgi_keep_conn off;
fastcgi_connect_timeout 5s;
fastcgi_send_timeout 60s;
fastcgi_read_timeout 3600s;
# POST
client_max_body_size 256m;
# Headers
add_header X-Content-Type-Options nosniff;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline'; trusted-types angular dompurify 'allow-duplicates';";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options "SAMEORIGIN";
add_header Referrer-Policy "strict-origin";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
include /etc/nginx/configs/nginx.*.conf;
}
nginx.http.conf
# HTTP server
server {
listen 80;
server_name localhost;
include /etc/nginx/configs/local.conf;
}
nginx.http2https.conf
server {
listen 80;
server_name localhost;
return 301 https://localhost$request_uri;
}
nginx.https.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/ssl/simian_suite_portal.crt;
ssl_certificate_key /etc/nginx/ssl/simian_suite_portal.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
include /etc/nginx/configs/local.conf;
}
local.conf
root /var/simian_portal/public;
# cache static frontend version content "forever" (rather one year)
location ~* ^/apps/browser-v[0-9\.]+(\-rc\d+)?-prod/.+\.(js|css|jpg|jpeg|png|gif|ico|swf|woff|woff2)$ {
expires 1y;
etag off;
if_modified_since off;
add_header Pragma "public";
add_header Cache-Control "public, no-transform";
}
# cache static portal content for one day
location ~* ^/(libs|doc|css|js)/.+\.(html|svg|js|css|jpg|jpeg|png|gif|ico|swf|woff|woff2)$ {
expires 1d;
etag off;
if_modified_since off;
add_header Pragma "public";
add_header Cache-Control "public, no-transform";
}
location / {
index index.html index.php;
try_files $uri $uri/ /index.php$is_args$args;
}
location ~ \.php$ {
if ($request_uri ~* "^(.*/)index\.php$") {
return 301 $1;
}
fastcgi_pass unix:/run/docker.sock;
include fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# deny access to .htaccess files, if Apache's document root concurs with nginx's one
location ~ /\.ht {
deny all;
}