jet-pg-admin/nginx.conf at postgres · Jet-labs/jet-pg-admin · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# Define the user Nginx runs as. User should be created in Dockerfile for Alpine.
user nginx nginx;
# Auto-detect optimal number of worker processes
worker_processes auto;

# Global error log location and level
error_log /var/log/nginx/error.log warn;
# Path for the Nginx PID file
pid /run/nginx.pid;

events {
    # Max connections per worker process
    worker_connections 1024;
}

http {
    # Include standard MIME types
    include /etc/nginx/mime.types;
    # Default MIME type if none match
    default_type application/octet-stream;

    # Enable efficient file sending
    sendfile on;
    # Optimize TCP packet sending
    tcp_nopush on;
    tcp_nodelay on;

    # Keepalive connection timeout
    keepalive_timeout 65;

    # Enable Gzip compression for better performance
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_min_length 1000;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/wasm;

    # Logging format
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    # =====================================================
    # Server Block for HTTPS (Port 443)
    # =====================================================
    server {
        # Listen on port 443 for IPv4 and IPv6 with SSL enabled
        listen 443 ssl;
        listen [::]:443 ssl; # For IPv6

        # Server name(s) - adjust if needed, 'localhost' matches default entrypoint CN
        server_name localhost;

        # --- SSL Configuration ---
        # Point to the certificate and key generated by docker-entrypoint.sh
        ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key;

        # --- Recommended SSL Protocols ---
        # Use modern, secure TLS versions
        ssl_protocols TLSv1.2 TLSv1.3;

        # --- Recommended Ciphers ---
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';

        # SSL session caching for performance
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        # --- Security Headers ---
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        add_header Referrer-Policy "strict-origin-when-cross-origin" always;

        # --- Frontend Static Files ---
        location / {
            # Root directory for the built frontend application
            root /apps/frontend/dist;
            # Default file to serve
            index index.html;
            # Handle client-side routing (for SPAs like React, Vue, Angular)
            try_files $uri $uri/ /index.html;

            # Cache static assets
            location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
                expires 1y;
                add_header Cache-Control "public, immutable";
            }
        }

        # --- Backend API Proxy ---
        location /api {
            # Forward requests to the backend service running internally on port 8090
            proxy_pass http://127.0.0.1:8090;

            # --- Proxy Timeouts ---
            proxy_connect_timeout 60s;
            proxy_send_timeout 60s;
            proxy_read_timeout 60s;

            # --- Standard Proxy Headers ---
            # Required for WebSocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';

            # Pass essential headers to the backend
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            # Pass the protocol (http/https) to the backend
            proxy_set_header X-Forwarded-Proto $scheme;

            # Bypass proxy cache for upgrades (WebSocket)
            proxy_cache_bypass $http_upgrade;

            # Buffer settings for large responses
            proxy_buffer_size 128k;
            proxy_buffers 4 256k;
            proxy_busy_buffers_size 256k;
        }

        # --- Custom Error Pages ---
        error_page 500 502 503 504 /50x.html;
        location = /50x.html {
            root /usr/share/nginx/html;
            internal;
        }
    }

    # =====================================================
    # Server Block for HTTP (Port 80) Redirect
    # Redirects all HTTP traffic to HTTPS
    # =====================================================
    server {
        listen 80;
        listen [::]:80; # For IPv6

        # Match the same server name as the HTTPS block
        server_name localhost;

        # Perform a permanent (301) redirect to the HTTPS version of the requested URL
        location / {
            return 301 https://$host$request_uri;
        }
    }
}