| user nginx |
| worker_processes auto |
| error_log /var/log/nginx/error.log warn |
| pid /var/run/nginx.pid |
|
|
| events { |
| worker_connections 4096 |
| use epoll |
| multi_accept on |
| } |
|
|
| http { |
| include /etc/nginx/mime.types |
| default_type application/octet-stream |
|
|
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' |
| '$status $body_bytes_sent "$http_referer" ' |
| '"$http_user_agent" "$http_x_forwarded_for" ' |
| 'rt=$request_time uct="$upstream_connect_time" ' |
| 'uht="$upstream_header_time" urt="$upstream_response_time" ' |
| 'correlation_id=$http_x_correlation_id' |
|
|
| access_log /var/log/nginx/access.log main |
| sendfile on |
| tcp_nopush on |
| tcp_nodelay on |
| keepalive_timeout 65 |
| keepalive_requests 1000 |
| types_hash_max_size 2048 |
|
|
| gzip on |
| gzip_vary on |
| gzip_min_length 1024 |
| gzip_proxied expired no-cache no-store private auth |
| gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json |
|
|
| limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s |
| limit_req_zone $binary_remote_addr zone=health_limit:10m rate=10r/s |
| limit_conn_zone $binary_remote_addr zone=addr_limit:10m |
|
|
| upstream api_backend { |
| least_conn |
| server api:8000 max_fails=3 fail_timeout=30s |
| keepalive 32 |
| } |
|
|
| ssl_protocols TLSv1.2 TLSv1.3 |
| ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384 |
| ssl_prefer_server_ciphers off |
| ssl_session_cache shared:SSL:10m |
| ssl_session_timeout 10m |
|
|
| server { |
| listen 80 |
| server_name _ |
|
|
| location /health { |
| limit_req zone=health_limit burst=20 nodelay |
| proxy_pass http://api_backend |
| proxy_http_version 1.1 |
| proxy_set_header Connection "" |
| proxy_set_header Host $host |
| proxy_set_header X-Real-IP $remote_addr |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for |
| proxy_set_header X-Forwarded-Proto $scheme |
| proxy_connect_timeout 5s |
| proxy_send_timeout 60s |
| proxy_read_timeout 60s |
| } |
|
|
| location /metrics { |
| allow 10.0.0.0/8 |
| allow 172.16.0.0/12 |
| allow 192.168.0.0/16 |
| deny all |
| proxy_pass http://api_backend |
| proxy_http_version 1.1 |
| proxy_set_header Host $host |
| } |
|
|
| location / { |
| limit_req zone=api_limit burst=200 nodelay |
| limit_conn addr_limit 50 |
| proxy_pass http://api_backend |
| proxy_http_version 1.1 |
| proxy_set_header Connection "" |
| proxy_set_header Host $host |
| proxy_set_header X-Real-IP $remote_addr |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for |
| proxy_set_header X-Forwarded-Proto $scheme |
| proxy_set_header X-Correlation-ID $http_x_correlation_id |
| proxy_connect_timeout 10s |
| proxy_send_timeout 300s |
| proxy_read_timeout 300s |
| proxy_buffering off |
| proxy_cache off |
| proxy_redirect off |
| proxy_intercept_errors on |
| error_page 502 503 504 /maintenance.html |
| } |
|
|
| location /maintenance.html { |
| root /usr/share/nginx/html |
| internal |
| } |
|
|
| location /ws { |
| proxy_pass http://api_backend |
| proxy_http_version 1.1 |
| proxy_set_header Upgrade $http_upgrade |
| proxy_set_header Connection "upgrade" |
| proxy_set_header Host $host |
| proxy_set_header X-Real-IP $remote_addr |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for |
| proxy_read_timeout 86400 |
| } |
| } |
| } |
|
|
