diff --git a/nginx/production b/nginx/production index 949bc9340..cef9e315e 100644 --- a/nginx/production +++ b/nginx/production @@ -19,52 +19,96 @@ server { # return 301 https://your-domain.com$request_uri; } -# -# server { -# listen [::]:443 ssl http2; -# listen 443 ssl http2; -# -# server_name your-domain.com; -# -# client_max_body_size 3M; -# -# if ($host != "your-domain.com") { -# return 301 $scheme://your-domain.com$request_uri; -# } -# -# # SSL code -# ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem; -# ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem; -# -# location ~ /.well-known/acme-challenge { -# allow all; -# root /var/www/certbot; -# } -# -# location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { -# limit_req zone=loginlimit; -# -# proxy_pass http://web; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_set_header Host $host; -# proxy_redirect off; -# } -# -# location / { -# proxy_pass http://web; -# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; -# proxy_set_header Host $host; -# proxy_redirect off; -# } -# -# location /images/ { -# alias /app/images/; -# } -# -# location /static/ { -# alias /app/static/; -# } -# } + +server { + access_log /var/log/nginx/access.log cache_log; + + listen [::]:443 ssl http2; + listen 443 ssl http2; + + server_name your-domain.com; + + client_max_body_size 3M; + + if ($host != "your-domain.com") { + return 301 $scheme://your-domain.com$request_uri; + } + + # SSL code + ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem; + + location ~ /.well-known/acme-challenge { + allow all; + root /var/www/certbot; + } + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + #include /etc/nginx/mime.types; + #default_type application/octet-stream; + + gzip on; + gzip_disable "msie6"; + + proxy_read_timeout 1800s; + chunked_transfer_encoding on; + + # store responses to anonymous users for up to 1 minute + proxy_cache bookwyrm_cache; + proxy_cache_valid any 1m; + add_header X-Cache-Status $upstream_cache_status; + + # ignore the set cookie header when deciding to + # store a response in the cache + proxy_ignore_headers Cache-Control Set-Cookie Expires; + + # PUT requests always bypass the cache + # logged in sessions also do not populate the cache + # to avoid serving personal data to anonymous users + proxy_cache_methods GET HEAD; + proxy_no_cache $cookie_sessionid; + proxy_cache_bypass $cookie_sessionid; + + # tell the web container the address of the outside client + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + proxy_redirect off; + + location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { + limit_req zone=loginlimit; + proxy_pass http://web; + } + + # do not log periodic polling requests from logged in users + location /api/updates/ { + access_log off; + proxy_pass http://web; + } + + location / { + proxy_pass http://web; + } + + # directly serve images and static files from the + # bookwyrm filesystem using sendfile. + # make the logs quieter by not reporting these requests + location ~ ^/(images|static)/ { + root /app; + try_files $uri =404; + add_header X-Cache-Status STATIC; + access_log off; + } + + # monitor the celery queues with flower, no caching enabled + location /flower/ { + proxy_pass http://flower:8888; + proxy_cache_bypass 1; + } +} # Reverse-Proxy server # server {