michael/michaelschiemer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd7cfd97e68385dc32795bc196414b7c7857b495
michaelschiemer/docker/nginx/default.production.conf

155 lines
4.1 KiB
Plaintext
Raw Blame History

# Production Nginx Configuration
# Based on default.conf but adapted for single-container deployment
# PHP-FPM runs in same container via Supervisor
upstream php-upstream {
server 127.0.0.1:9000;
}
# HTTP Server - Redirect to HTTPS
server {
listen 80;
listen [::]:80;
server_name _;
# Health check on HTTP
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Redirect all other traffic to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
# HTTPS Server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name _;
# SSL Configuration
ssl_certificate /var/www/ssl/cert.pem;
ssl_certificate_key /var/www/ssl/key.pem;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
root /var/www/html/public;
index index.php index.html;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# Gzip
gzip on;
gzip_vary on;
gzip_types text/css application/javascript application/json image/svg+xml;
gzip_comp_level 5;
# ACME Challenge for Let's Encrypt
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/certbot;
allow all;
}
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Static assets with caching
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
location ~* \.(css|js|map)$ {
expires 1w;
add_header Cache-Control "public, max-age=604800";
try_files $uri =404;
}
# Service Worker
location = /sw.js {
alias /var/www/html/public/sw.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
}
location = /js/sw-push.js {
alias /var/www/html/public/js/sw-push.js;
add_header Cache-Control "no-cache, must-revalidate";
add_header Service-Worker-Allowed "/";
add_header Content-Type "application/javascript; charset=utf-8";
}
# Main application
location / {
try_files $uri $uri/ /index.php?$query_string;
autoindex off;
}
# PHP-FPM
location ~ \.php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php-upstream;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param APP_ENV production;
fastcgi_param HTTPS on;
fastcgi_read_timeout 60s;
fastcgi_connect_timeout 60s;
fastcgi_send_timeout 60s;
fastcgi_buffer_size 128k;
fastcgi_buffers 4 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_keep_conn on;
fastcgi_hide_header X-Powered-By;
}
# Deny access to hidden files
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Prevent PHP execution in uploads
location ~* /(?:uploads|files)/.*\.php$ {
deny all;
}
# Error pages
error_page 404 /errors/404.html;
error_page 403 /errors/403.html;
error_page 500 502 503 504 /errors/50x.html;
location /errors/ {
internal;
}
server_tokens off;
}
Reference in New Issue View Git Blame Copy Permalink