docker/nginx/default.conf
upstream app {
server icare.app:3000;
}
server {
listen 80;
listen [::]:80;
server_name localhost;
return 301 https://$server_name$request_uri;
# Hide informations
server_tokens off;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name localhost;
root /nginx/public;
# Hide informations
server_tokens off;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
ssl_certificate /etc/ssl/certs/app_cert.pem;
ssl_certificate_key /etc/ssl/certs/app_key.pem;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_dhparam /etc/ssl/certs/app_dhparam4096.pem;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# ssl_stapling on;
# ssl_stapling_verify on;
# ssl_trusted_certificate /etc/ssl/certs/app_cert.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location @app {
proxy_pass http://app;
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
try_files $uri @app;
}
location = /favicon.ico { access_log off; log_not_found off; }
location = /robots.txt { access_log off; log_not_found off; }
location = /manifest.json { access_log off; log_not_found off; }
location ~ /\. {
deny all;
}
location ~* ^.+\.(rb|log)$ {
deny all;
}
location ~ ^/(assets|packs)/ {
gzip_static on;
expires max;
add_header Cache-Control public;
}
}