nginx.frontend.conf at main · vicwalker.dev.br/tranquil-pds

vicwalker.dev.br / tranquil-pds
forked from tranquil.farm/tranquil-pds
fork atom
Our Personal Data Server from scratch!
fork atom
tranquil-pds / nginx.frontend.conf
at main 170 lines 5.2 kB view raw
wrap content
oyster.cafe feat: docs tweaks & standalone frontend 2mo ago
158628f1
  1worker_processes auto;
  2error_log /var/log/nginx/error.log warn;
  3pid /var/run/nginx.pid;
  4
  5events {
  6    worker_connections 4096;
  7    use epoll;
  8    multi_accept on;
  9}
 10
 11http {
 12    include /etc/nginx/mime.types;
 13    default_type application/octet-stream;
 14
 15    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 16                    '$status $body_bytes_sent "$http_referer" '
 17                    '"$http_user_agent" "$http_x_forwarded_for" '
 18                    'rt=$request_time uct="$upstream_connect_time" '
 19                    'uht="$upstream_header_time" urt="$upstream_response_time"';
 20
 21    access_log /var/log/nginx/access.log main;
 22
 23    sendfile on;
 24    tcp_nopush on;
 25    tcp_nodelay on;
 26    keepalive_timeout 65;
 27    types_hash_max_size 2048;
 28
 29    gzip on;
 30    gzip_vary on;
 31    gzip_proxied any;
 32    gzip_comp_level 6;
 33    gzip_types text/plain text/css text/xml application/json application/javascript
 34               application/xml application/xml+rss text/javascript application/activity+json;
 35
 36    ssl_protocols TLSv1.2 TLSv1.3;
 37    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
 38    ssl_prefer_server_ciphers off;
 39    ssl_session_cache shared:SSL:10m;
 40    ssl_session_timeout 1d;
 41    ssl_session_tickets off;
 42    ssl_stapling on;
 43    ssl_stapling_verify on;
 44
 45    upstream backend {
 46        server tranquil-pds:3000;
 47        keepalive 32;
 48    }
 49
 50    upstream frontend {
 51        server frontend:80;
 52        keepalive 16;
 53    }
 54
 55    server {
 56        listen 80;
 57        listen [::]:80;
 58        server_name _;
 59
 60        location /.well-known/acme-challenge/ {
 61            root /var/www/acme;
 62        }
 63
 64        location / {
 65            return 301 https://$host$request_uri;
 66        }
 67    }
 68
 69    server {
 70        listen 443 ssl;
 71        listen [::]:443 ssl;
 72        http2 on;
 73        server_name _;
 74
 75        ssl_certificate /etc/nginx/certs/fullchain.pem;
 76        ssl_certificate_key /etc/nginx/certs/privkey.pem;
 77
 78        client_max_body_size 10G;
 79
 80        location /xrpc/ {
 81            proxy_pass http://backend;
 82            proxy_http_version 1.1;
 83            proxy_set_header Upgrade $http_upgrade;
 84            proxy_set_header Connection "upgrade";
 85            proxy_set_header Host $host;
 86            proxy_set_header X-Real-IP $remote_addr;
 87            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 88            proxy_set_header X-Forwarded-Proto $scheme;
 89            proxy_read_timeout 86400;
 90            proxy_send_timeout 86400;
 91            proxy_buffering off;
 92            proxy_request_buffering off;
 93        }
 94
 95        location = /oauth/client-metadata.json {
 96            proxy_pass http://frontend;
 97            proxy_http_version 1.1;
 98            proxy_set_header Host $host;
 99            proxy_set_header Accept-Encoding "";
100            sub_filter_once off;
101            sub_filter_types application/json;
102            sub_filter '__PDS_HOSTNAME__' $host;
103        }
104
105        location /oauth/ {
106            proxy_pass http://backend;
107            proxy_http_version 1.1;
108            proxy_set_header Host $host;
109            proxy_set_header X-Real-IP $remote_addr;
110            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
111            proxy_set_header X-Forwarded-Proto $scheme;
112            proxy_read_timeout 300;
113            proxy_send_timeout 300;
114        }
115
116        location /.well-known/ {
117            proxy_pass http://backend;
118            proxy_http_version 1.1;
119            proxy_set_header Host $host;
120            proxy_set_header X-Real-IP $remote_addr;
121            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
122            proxy_set_header X-Forwarded-Proto $scheme;
123        }
124
125        location = /metrics {
126            proxy_pass http://backend;
127            proxy_http_version 1.1;
128            proxy_set_header Host $host;
129            proxy_set_header X-Real-IP $remote_addr;
130            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
131            proxy_set_header X-Forwarded-Proto $scheme;
132        }
133
134        location = /health {
135            proxy_pass http://backend;
136            proxy_http_version 1.1;
137            proxy_set_header Host $host;
138        }
139
140        location = /robots.txt {
141            proxy_pass http://backend;
142            proxy_http_version 1.1;
143            proxy_set_header Host $host;
144        }
145
146        location = /logo {
147            proxy_pass http://backend;
148            proxy_http_version 1.1;
149            proxy_set_header Host $host;
150        }
151
152        location ~ ^/u/[^/]+/did\.json$ {
153            proxy_pass http://backend;
154            proxy_http_version 1.1;
155            proxy_set_header Host $host;
156            proxy_set_header X-Real-IP $remote_addr;
157            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
158            proxy_set_header X-Forwarded-Proto $scheme;
159        }
160
161        location / {
162            proxy_pass http://frontend;
163            proxy_http_version 1.1;
164            proxy_set_header Host $host;
165            proxy_set_header X-Real-IP $remote_addr;
166            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
167            proxy_set_header X-Forwarded-Proto $scheme;
168        }
169    }
170}