arifal/sibedas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
91085e8796654d508374fbaca301db36daf15267
sibedas/docker/nginx/conf.d/reverse-proxy.conf
arifal a7f578ca3d add docker for server demo
2025-06-26 18:28:26 +07:00

137 lines
3.9 KiB
Plaintext
Raw Blame History

# Reverse Proxy Configuration for Sibedas PBG Web
# This configuration handles SSL termination and routes traffic to the appropriate containers
# Upstream for Sibedas application
upstream sibedas_backend {
server sibedas_app:9000;
keepalive 32;
}
# Rate limiting
limit_req_zone $binary_remote_addr zone=sibedas_limit:10m rate=10r/s;
# HTTP to HTTPS redirect
server {
listen 80;
server_name _;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
# HTTPS Server for Sibedas
server {
listen 443 ssl http2;
server_name sibedas.yourdomain.com; # Change this to your domain
# SSL Configuration
ssl_certificate /etc/nginx/ssl/sibedas.crt;
ssl_certificate_key /etc/nginx/ssl/sibedas.key;
# SSL Security Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Security Headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options DENY always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';" always;
# Rate limiting
limit_req zone=sibedas_limit burst=20 nodelay;
# Client max body size
client_max_body_size 100M;
# Gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
text/javascript
application/json
application/javascript
application/xml+rss
application/atom+xml
image/svg+xml;
# Root directory
root /var/www/public;
index index.php index.html index.htm;
# Handle Laravel routes
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# PHP-FPM configuration
location ~ \.php$ {
fastcgi_pass sibedas_backend;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
include fastcgi_params;
# FastCGI optimizations
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
# Deny access to sensitive files
location ~ /\. {
deny all;
}
location ~ /\.ht {
deny all;
}
# Health check endpoint
location /health-check {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Logging
access_log /var/log/nginx/sibedas_access.log;
error_log /var/log/nginx/sibedas_error.log;
}
# Additional server blocks for other applications can be added here
# Example:
# server {
# listen 443 ssl http2;
# server_name other-app.yourdomain.com;
#
# ssl_certificate /etc/nginx/ssl/other-app.crt;
# ssl_certificate_key /etc/nginx/ssl/other-app.key;
#
# location / {
# proxy_pass http://other_app_container:port;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto $scheme;
# }
# }
Reference in New Issue View Git Blame Copy Permalink