aheh/PrivyDrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
06e8185a06a3d07ea7a02a732454c737d6ba78f9
PrivyDrop/backend/docker/Nginx/default
T
david_bai 18fad98cbd translate chinese comment into english
2025-06-21 16:56:26 +08:00

126 lines
5.8 KiB
Plaintext
Raw Blame History

server {
# Redirect HTTP to HTTPS
listen 80;
server_name YourDomain www.YourDomain;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2; # Listen on TCP port 443, supporting HTTP/2 and SSL
listen 443 quic reuseport; # Listen on UDP port 443 for QUIC and HTTP/3
# 'reuseport' allows multiple worker processes to share the same port, recommended for QUIC
# Ensure that the SSL protocol includes at least TLSv1.3, as HTTP/3 requires TLSv1.3
ssl_protocols TLSv1.3 TLSv1.2; # Make sure TLSv1.3 is at the front
# Add HTTP/3 specific headers to inform the browser that HTTP/3 is available
# Alt-Svc (Alternative Service) header
# h3=":443" indicates that HTTP/3 is available on the current domain and port 443
# ma=86400 means this information is cached for 24 hours (86400 seconds)
add_header Alt-Svc 'h3=":443"; ma=86400';
# (Optional, but recommended) Enable 0-RTT data to further reduce latency
# Requires support from both client and server
ssl_early_data on;
server_name YourDomain www.YourDomain;
# SSL Configuration
ssl_certificate path/to/your/certFile;
ssl_certificate_key path/to/your/privkeyFile;
# SSL Optimization
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Modern Configuration
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (Enable with caution)
# add_header Strict-Transport-Security "max-age=63072000" always;
# Define the root path of the frontend build artifacts inside the container
# !!! Important: Please modify this path to the actual path of your frontend project build inside the Nginx container !!!
set $frontend_build_root path/to/your/frontend_build_root;
# 1. Prioritize handling of Next.js core static resources (_next/static)
location /_next/static/ {
alias $frontend_build_root/.next/static/;
expires 365d; # Long-term cache
access_log off; # Disable access log for this path
add_header Cache-Control "public"; # Explicitly inform the browser that it can be cached publicly
}
# WebSocket signaling server configuration
location /socket.io/ {
proxy_pass http://localhost:3001/socket.io/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS Configuration
add_header 'Access-Control-Allow-Origin' '*' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
# WebSocket related optimizations
proxy_read_timeout 86400; # 24h
proxy_send_timeout 86400; # 24h
proxy_connect_timeout 7d;
proxy_buffering off;
}
# Backend API address -- forward
location /api/ {
proxy_pass http://localhost:3001/api/; # Backend API address -- forward
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Modify CORS configuration, only set one Origin
add_header Access-Control-Allow-Origin "https://www.securityshare.xyz" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Allow-Credentials "true" always;
}
# Next.js Image Optimization Service (usually handled by the Next.js application)
location /_next/image {
proxy_pass http://localhost:3000; # Point to the Next.js application
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
# 2. Handle static files under the public directory and Next.js dynamic requests
# This location should be after specific proxies (like /api/, /socket.io/),
# but it can be before or after /_next/static/ because they match different paths.
# For clarity, we put it here.
location / {
# root points to the parent directory of the public directory, which is the root directory of the frontend build artifacts
root $frontend_build_root/public;
# Try to find files in order:
# 1. $uri: as a file in the public directory (e.g., /image.png -> $frontend_build_root/public/image.png)
# 2. $uri/: as a directory in the public directory (not typically used for Next.js public files)
# 3. @nextjs: If none of the above are found, pass the request to the Next.js application for processing
try_files $uri $uri/ @nextjs_app;
}
# Named location, used to proxy requests to the Next.js application
location @nextjs_app {
proxy_pass http://localhost:3000; # Point to the Next.js application
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_cache_bypass $http_upgrade;
}
}
Reference in New Issue View Git Blame Copy Permalink