Updates nginx production config

This copies over the changes Trammell added to the development file. I
also realized that I think it's fine to only commend out the https
redirect, rather than commenting out the entire server block for
listening on port 443? If this works it makes the file a lot easier to
read.

Co-authored-by: Trammell Hudson <hudson@trmm.net>
This commit is contained in:
Mouse Reeve 2022-12-11 12:25:36 -08:00
parent a9846e7805
commit 3a0533b7fc

View file

@ -19,52 +19,96 @@ server {
# return 301 https://your-domain.com$request_uri; # return 301 https://your-domain.com$request_uri;
} }
#
# server { server {
# listen [::]:443 ssl http2; access_log /var/log/nginx/access.log cache_log;
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name your-domain.com; listen 443 ssl http2;
#
# client_max_body_size 3M; server_name your-domain.com;
#
# if ($host != "your-domain.com") { client_max_body_size 3M;
# return 301 $scheme://your-domain.com$request_uri;
# } if ($host != "your-domain.com") {
# return 301 $scheme://your-domain.com$request_uri;
# # SSL code }
# ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
# ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem; # SSL code
# ssl_certificate /etc/nginx/ssl/live/your-domain.com/fullchain.pem;
# location ~ /.well-known/acme-challenge { ssl_certificate_key /etc/nginx/ssl/live/your-domain.com/privkey.pem;
# allow all;
# root /var/www/certbot; location ~ /.well-known/acme-challenge {
# } allow all;
# root /var/www/certbot;
# location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { }
# limit_req zone=loginlimit;
# sendfile on;
# proxy_pass http://web; tcp_nopush on;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; tcp_nodelay on;
# proxy_set_header Host $host; keepalive_timeout 65;
# proxy_redirect off; types_hash_max_size 2048;
# } #include /etc/nginx/mime.types;
# #default_type application/octet-stream;
# location / {
# proxy_pass http://web; gzip on;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; gzip_disable "msie6";
# proxy_set_header Host $host;
# proxy_redirect off; proxy_read_timeout 1800s;
# } chunked_transfer_encoding on;
#
# location /images/ { # store responses to anonymous users for up to 1 minute
# alias /app/images/; proxy_cache bookwyrm_cache;
# } proxy_cache_valid any 1m;
# add_header X-Cache-Status $upstream_cache_status;
# location /static/ {
# alias /app/static/; # ignore the set cookie header when deciding to
# } # store a response in the cache
# } proxy_ignore_headers Cache-Control Set-Cookie Expires;
# PUT requests always bypass the cache
# logged in sessions also do not populate the cache
# to avoid serving personal data to anonymous users
proxy_cache_methods GET HEAD;
proxy_no_cache $cookie_sessionid;
proxy_cache_bypass $cookie_sessionid;
# tell the web container the address of the outside client
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) {
limit_req zone=loginlimit;
proxy_pass http://web;
}
# do not log periodic polling requests from logged in users
location /api/updates/ {
access_log off;
proxy_pass http://web;
}
location / {
proxy_pass http://web;
}
# directly serve images and static files from the
# bookwyrm filesystem using sendfile.
# make the logs quieter by not reporting these requests
location ~ ^/(images|static)/ {
root /app;
try_files $uri =404;
add_header X-Cache-Status STATIC;
access_log off;
}
# monitor the celery queues with flower, no caching enabled
location /flower/ {
proxy_pass http://flower:8888;
proxy_cache_bypass 1;
}
}
# Reverse-Proxy server # Reverse-Proxy server
# server { # server {