56 lines
1.7 KiB
Plaintext
56 lines
1.7 KiB
Plaintext
# Newbury Nights — nginx reverse proxy example
|
|
#
|
|
# Camera (getUserMedia) and DeviceOrientation require a secure context,
|
|
# so the site MUST be served over HTTPS. nginx terminates TLS here and
|
|
# forwards plain HTTP to the Node app on 127.0.0.1:33033.
|
|
#
|
|
# Adjust server_name, certificate paths, and the upstream port to taste.
|
|
|
|
upstream newbury_nights {
|
|
server 127.0.0.1:33033;
|
|
keepalive 32;
|
|
}
|
|
|
|
# Redirect HTTP -> HTTPS
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name newbury.example.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name newbury.example.com;
|
|
|
|
# --- TLS (point these at your real certs, e.g. from certbot) ---
|
|
ssl_certificate /etc/letsencrypt/live/newbury.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/newbury.example.com/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Allow uploaded ghost GIFs/images up to the app's 8MB limit (+ headroom).
|
|
client_max_body_size 10m;
|
|
|
|
# Let the Node app see it's behind TLS (so secure cookies / trust proxy work).
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
|
|
# Cache static assets served by the app.
|
|
location ~* \.(?:css|js|gif|png|jpe?g|webp|svg|woff2?)$ {
|
|
proxy_pass http://newbury_nights;
|
|
proxy_cache_valid 200 1h;
|
|
expires 1h;
|
|
add_header Cache-Control "public";
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://newbury_nights;
|
|
}
|
|
}
|