include /etc/nginx/conf.d/server_config; upstream web { server web:8000; } server { access_log /var/log/nginx/access.log cache_log; listen 80; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; #include /etc/nginx/mime.types; #default_type application/octet-stream; gzip on; gzip_disable "msie6"; proxy_read_timeout 1800s; chunked_transfer_encoding on; # store responses to anonymous users for up to 1 minute proxy_cache bookwyrm_cache; proxy_cache_valid any 1m; add_header X-Cache-Status $upstream_cache_status; # ignore the set cookie header when deciding to # store a response in the cache proxy_ignore_headers Cache-Control Set-Cookie Expires; # PUT requests always bypass the cache # logged in sessions also do not populate the cache # to avoid serving personal data to anonymous users proxy_cache_methods GET HEAD; proxy_no_cache $cookie_sessionid; proxy_cache_bypass $cookie_sessionid; # tell the web container the address of the outside client proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_redirect off; # rate limit the login or password reset pages location ~ ^/(login[^-/]|password-reset|resend-link|2fa-check) { limit_req zone=loginlimit; proxy_pass http://web; } # do not log periodic polling requests from logged in users location /api/updates/ { access_log off; proxy_pass http://web; } # forward any cache misses or bypass to the web container location / { proxy_pass http://web; } # directly serve images and static files from the # bookwyrm filesystem using sendfile. # make the logs quieter by not reporting these requests location ~ \.(bmp|ico|jpg|jpeg|png|tif|tiff|webp)$ { root /app; try_files $uri =404; add_header X-Cache-Status STATIC; access_log off; } # block access to any non-image files from images or static location ~ ^/(images|static)/ { return 403; } # monitor the celery queues with flower, no caching enabled location /flower/ { proxy_pass http://flower:8888; proxy_cache_bypass 1; } }