user nginx; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; worker_processes auto; worker_rlimit_nofile 33282; events { worker_connections 1024; } http { limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=20r/s; include /etc/nginx/mime.types; default_type application/octet-stream; charset utf-8; sendfile on; tcp_nopush on; tcp_nodelay on; server_tokens off; types_hash_max_size 2048; {{#if compose}} resolver 127.0.0.11 ipv6=off; {{/if}} {{#if k8s}} resolver kube-dns.kube-system.svc.cluster.local valid=10s; {{/if}} # buffering client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 10M; ignore_invalid_headers off; proxy_buffering off; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; map $http_upgrade $connection_upgrade { default "upgrade"; } server { listen 10000 default_server; listen [::]:10000 default_server; server_name _; client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; # port_in_redirect off; # Security Headers add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me; object-src 'none'; base-uri 'self'; connect-src 'self' https://api-iam.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io; font-src 'self' data https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me; frame-src 'self'; img-src http: https: data; manifest-src 'self'; media-src 'self'; worker-src 'none';" always; # upstreams set $apps {{ apps }}; set $worker {{ worker }}; set $minio {{ minio }}; set $couchdb {{ couchdb }}; {{#if watchtower}} set $watchtower {{ watchtower }}; {{/if}} location /app { proxy_pass http://$apps:4002; rewrite ^/app/(.*)$ /$1 break; } location = / { proxy_pass http://$apps:4002; } {{#if watchtower}} location = /v1/update { proxy_pass http://$watchtower:8080; } {{/if}} location ~ ^/(builder|app_) { proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://$apps:4002; } location ~ ^/api/(system|admin|global)/ { proxy_pass http://$worker:4003; } location /worker/ { proxy_pass http://$worker:4003; rewrite ^/worker/(.*)$ /$1 break; } location /api/ { # calls to the API are rate limited with bursting limit_req zone=ratelimit burst=20 nodelay; # 120s timeout on API requests proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://$apps:4002; } location /db/ { proxy_pass http://$couchdb:5984; rewrite ^/db/(.*)$ /$1 break; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://$minio:9000; } client_header_timeout 60; client_body_timeout 60; keepalive_timeout 60; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; } }