139 lines
5.4 KiB
Nginx Configuration File
139 lines
5.4 KiB
Nginx Configuration File
upstream backend_app {
|
||
server 127.0.0.1:13200;
|
||
keepalive 32;
|
||
}
|
||
|
||
upstream frontend_web {
|
||
server 127.0.0.1:13300;
|
||
keepalive 16;
|
||
}
|
||
|
||
# Access log format including request id
|
||
log_format reqid '$time_iso8601 [$req_id] $remote_addr "$request" $status $body_bytes_sent $request_time "$http_referer" "$http_user_agent"';
|
||
|
||
# Correlate/propagate request id; if client sent X-Request-Id use it, otherwise generate
|
||
map $http_x_request_id $req_id {
|
||
default $http_x_request_id;
|
||
"" $request_id;
|
||
}
|
||
|
||
map $http_upgrade $connection_upgrade {
|
||
default upgrade;
|
||
'' close;
|
||
}
|
||
|
||
server {
|
||
listen 80;
|
||
server_name my-public-node-8.projscale.dev;
|
||
# Emit request id even on redirects
|
||
add_header X-Request-Id $req_id always;
|
||
return 301 https://$host$request_uri;
|
||
}
|
||
|
||
server {
|
||
listen 443 ssl http2;
|
||
server_name my-public-node-8.projscale.dev;
|
||
# Access log with request id
|
||
access_log /var/log/nginx/access.log reqid;
|
||
|
||
# SSL configuration (valid certs)
|
||
ssl_certificate /etc/letsencrypt/live/my-public-node-8.projscale.dev/fullchain.pem;
|
||
ssl_certificate_key /etc/letsencrypt/live/my-public-node-8.projscale.dev/privkey.pem;
|
||
ssl_protocols TLSv1.2 TLSv1.3;
|
||
ssl_prefer_server_ciphers on;
|
||
ssl_session_cache shared:SSL:10m;
|
||
ssl_session_timeout 1d;
|
||
ssl_session_tickets off;
|
||
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # enable after confirming HTTPS only
|
||
|
||
# Общие параметры для стабильности и больших файлов
|
||
client_max_body_size 10G;
|
||
client_body_timeout 300s;
|
||
client_header_timeout 300s;
|
||
keepalive_timeout 65s;
|
||
|
||
# Сжатие текстовых ответов
|
||
gzip on;
|
||
gzip_comp_level 5;
|
||
gzip_min_length 1024;
|
||
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
|
||
|
||
# Безопасные заголовки (минимальный набор) и корреляция
|
||
add_header X-Content-Type-Options nosniff always;
|
||
add_header X-Frame-Options SAMEORIGIN always;
|
||
add_header Referrer-Policy strict-origin-when-cross-origin always;
|
||
add_header X-Request-Id $req_id always;
|
||
|
||
# CORS (для API и префлайтов)
|
||
add_header Access-Control-Allow-Origin * always;
|
||
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PATCH, HEAD" always;
|
||
add_header Access-Control-Allow-Headers "Origin, Cache-Control, Content-Type, Accept, Authorization, Referer, User-Agent, Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Tus-Resumable, tus-resumable, Upload-Length, upload-length, Upload-Offset, upload-offset, Upload-Metadata, upload-metadata, Upload-Defer-Length, upload-defer-length, Upload-Concat, upload-concat, x-file-name, x-last-chunk, x-chunk-start, x-upload-id, x-request-id" always;
|
||
|
||
# Быстрая обработка preflight (если бэкенд недоступен)
|
||
if ($request_method = OPTIONS) { return 204; }
|
||
|
||
# Статика фронтенда (SPA)
|
||
location / {
|
||
proxy_pass http://frontend_web;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Connection "";
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header X-Request-Id $req_id;
|
||
proxy_read_timeout 60s;
|
||
}
|
||
|
||
# Агрессивное кеширование хешированных ассетов (Vite кладет их в /assets)
|
||
location ^~ /assets/ {
|
||
proxy_pass http://frontend_web;
|
||
proxy_http_version 1.1;
|
||
proxy_set_header Connection "";
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header X-Request-Id $req_id;
|
||
proxy_read_timeout 60s;
|
||
proxy_hide_header Cache-Control;
|
||
add_header Cache-Control "public, max-age=31536000, immutable" always;
|
||
}
|
||
|
||
# API
|
||
location /api/ {
|
||
proxy_pass http://backend_app;
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header X-Request-Id $req_id;
|
||
|
||
# Для chunked uploads и стриминга – не буферизуем запрос/ответ
|
||
proxy_http_version 1.1;
|
||
proxy_request_buffering off;
|
||
proxy_buffering off;
|
||
proxy_max_temp_file_size 0;
|
||
proxy_set_header Connection "";
|
||
|
||
# Таймауты для больших файлов
|
||
proxy_connect_timeout 300s;
|
||
proxy_send_timeout 300s;
|
||
proxy_read_timeout 300s;
|
||
|
||
# Вебсокеты (на будущее)
|
||
proxy_set_header Upgrade $http_upgrade;
|
||
proxy_set_header Connection $connection_upgrade;
|
||
}
|
||
|
||
# Health to backend
|
||
location = /health {
|
||
proxy_pass http://backend_app/api/system.version;
|
||
proxy_set_header Host $host;
|
||
proxy_set_header X-Real-IP $remote_addr;
|
||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
proxy_set_header X-Forwarded-Proto $scheme;
|
||
proxy_set_header X-Request-Id $req_id;
|
||
}
|
||
}
|