From 3a0533b7fc6104dbc81d9a1a338b4e9b4d4699d2 Mon Sep 17 00:00:00 2001
From: Mouse Reeve <mousereeve@riseup.net>
Date: Sun, 11 Dec 2022 12:25:36 -0800
Subject: [PATCH] Updates nginx production config

This copies over the changes Trammell added to the development file. I
also realized that I think it's fine to only commend out the https
redirect, rather than commenting out the entire server block for
listening on port 443? If this works it makes the file a lot easier to
read.

Co-authored-by: Trammell Hudson <hudson@trmm.net>
---
 nginx/production | 136 +++++++++++++++++++++++++++++++----------------
 1 file changed, 90 insertions(+), 46 deletions(-)

diff --git a/nginx/production b/nginx/production
index 949bc9340..cef9e315e 100644
--- a/nginx/production
+++ b/nginx/production
@@ -19,52 +19,96 @@ server {
 #     return 301 https://your-domain.com$request_uri;
 }
 
-#
-# server {
-#     listen [::]:443 ssl http2;
-#     listen 443 ssl http2;
-#
-#     server_name your-domain.com;
-#
-#     client_max_body_size 3M;
-#
-#     if ($host != "your-domain.com") {
-#         return 301 $scheme://your-domain.com$request_uri;
-#     }
-#
-#     # SSL code
-#     ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
-#     ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
-#
-#     location ~ /.well-known/acme-challenge {
-#         allow all;
-#         root /var/www/certbot;
-#     }
-#
-#     location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
-#         limit_req zone=loginlimit;
-#
-#         proxy_pass http://web;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header Host $host;
-#         proxy_redirect off;
-#     }
-#
-#     location / {
-#         proxy_pass http://web;
-#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-#         proxy_set_header Host $host;
-#         proxy_redirect off;
-#     }
-#
-#     location /images/ {
-#         alias /app/images/;
-#     }
-#
-#     location /static/ {
-#         alias /app/static/;
-#     }
-# }
+
+server {
+    access_log /var/log/nginx/access.log cache_log;
+
+    listen [::]:443 ssl http2;
+    listen 443 ssl http2;
+
+    server_name your-domain.com;
+
+    client_max_body_size 3M;
+
+    if ($host != "your-domain.com") {
+        return 301 $scheme://your-domain.com$request_uri;
+    }
+
+    # SSL code
+    ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
+
+    location ~ /.well-known/acme-challenge {
+        allow all;
+        root /var/www/certbot;
+    }
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    #include /etc/nginx/mime.types;
+    #default_type application/octet-stream;
+
+    gzip on;
+    gzip_disable "msie6";
+
+    proxy_read_timeout 1800s;
+    chunked_transfer_encoding on;
+
+    # store responses to anonymous users for up to 1 minute
+    proxy_cache bookwyrm_cache;
+    proxy_cache_valid any 1m;
+    add_header X-Cache-Status $upstream_cache_status;
+
+    # ignore the set cookie header when deciding to
+    # store a response in the cache
+    proxy_ignore_headers Cache-Control Set-Cookie Expires;
+
+    # PUT requests always bypass the cache
+    # logged in sessions also do not populate the cache
+    # to avoid serving personal data to anonymous users
+    proxy_cache_methods GET HEAD;
+    proxy_no_cache      $cookie_sessionid;
+    proxy_cache_bypass  $cookie_sessionid;
+
+    # tell the web container the address of the outside client
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host $host;
+    proxy_redirect off;
+
+    location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
+        limit_req zone=loginlimit;
+        proxy_pass http://web;
+    }
+
+    # do not log periodic polling requests from logged in users
+    location /api/updates/ {
+        access_log off;
+        proxy_pass http://web;
+    }
+
+    location / {
+        proxy_pass http://web;
+    }
+
+    # directly serve images and static files from the
+    # bookwyrm filesystem using sendfile.
+    # make the logs quieter by not reporting these requests
+    location ~ ^/(images|static)/ {
+        root /app;
+        try_files $uri =404;
+        add_header X-Cache-Status STATIC;
+        access_log off;
+    }
+
+    # monitor the celery queues with flower, no caching enabled
+    location /flower/ {
+       proxy_pass http://flower:8888;
+       proxy_cache_bypass 1;
+    }
+}
 
 # Reverse-Proxy server
 # server {