Merge pull request #2499 from bookwyrm-social/nginx-prod

Updates nginx production config

nginx/production

@@ -19,52 +19,96 @@ server {
 #     return 301 https://your-domain.com$request_uri;
 }
 
-#
+
-# server {
+server {
-#     listen [::]:443 ssl http2;
+    access_log /var/log/nginx/access.log cache_log;
-#     listen 443 ssl http2;
+
-#
+    listen [::]:443 ssl http2;
-#     server_name your-domain.com;
+    listen 443 ssl http2;
-#
+
-#     client_max_body_size 3M;
+    server_name your-domain.com;
-#
+
-#     if ($host != "your-domain.com") {
+    client_max_body_size 3M;
-#         return 301 $scheme://your-domain.com$request_uri;
+
-#     }
+    if ($host != "your-domain.com") {
-#
+        return 301 $scheme://your-domain.com$request_uri;
-#     # SSL code
+    }
-#     ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
+
-#     ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
+    # SSL code
-#
+    ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
-#     location ~ /.well-known/acme-challenge {
+    ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
-#         allow all;
+
-#         root /var/www/certbot;
+    location ~ /.well-known/acme-challenge {
-#     }
+        allow all;
-#
+        root /var/www/certbot;
-#     location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
+    }
-#         limit_req zone=loginlimit;
+
-#
+    sendfile on;
-#         proxy_pass http://web;
+    tcp_nopush on;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    tcp_nodelay on;
-#         proxy_set_header Host $host;
+    keepalive_timeout 65;
-#         proxy_redirect off;
+    types_hash_max_size 2048;
-#     }
+    #include /etc/nginx/mime.types;
-#
+    #default_type application/octet-stream;
-#     location / {
+
-#         proxy_pass http://web;
+    gzip on;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    gzip_disable "msie6";
-#         proxy_set_header Host $host;
+
-#         proxy_redirect off;
+    proxy_read_timeout 1800s;
-#     }
+    chunked_transfer_encoding on;
-#
+
-#     location /images/ {
+    # store responses to anonymous users for up to 1 minute
-#         alias /app/images/;
+    proxy_cache bookwyrm_cache;
-#     }
+    proxy_cache_valid any 1m;
-#
+    add_header X-Cache-Status $upstream_cache_status;
-#     location /static/ {
+
-#         alias /app/static/;
+    # ignore the set cookie header when deciding to
-#     }
+    # store a response in the cache
-# }
+    proxy_ignore_headers Cache-Control Set-Cookie Expires;
+
+    # PUT requests always bypass the cache
+    # logged in sessions also do not populate the cache
+    # to avoid serving personal data to anonymous users
+    proxy_cache_methods GET HEAD;
+    proxy_no_cache      $cookie_sessionid;
+    proxy_cache_bypass  $cookie_sessionid;
+
+    # tell the web container the address of the outside client
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_redirect off;
+
+    location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
+        limit_req zone=loginlimit;
+        proxy_pass http://web;
+    }
+
+    # do not log periodic polling requests from logged in users
+    location /api/updates/ {
+        access_log off;
+        proxy_pass http://web;
+    }
+
+    location / {
+        proxy_pass http://web;
+    }
+
+    # directly serve images and static files from the
+    # bookwyrm filesystem using sendfile.
+    # make the logs quieter by not reporting these requests
+    location ~ ^/(images|static)/ {
+        root /app;
+        try_files $uri =404;
+        add_header X-Cache-Status STATIC;
+        access_log off;
+    }
+
+    # monitor the celery queues with flower, no caching enabled
+    location /flower/ {
+       proxy_pass http://flower:8888;
+       proxy_cache_bypass 1;
+    }
+}
 
 # Reverse-Proxy server
 # server {