jcloude/deployment/nginx.conf

upstream jingrow-bench-jingrow {
	server 127.0.0.1:8000 fail_timeout=0;
}

upstream jingrow-bench-socketio-server {
	server 127.0.0.1:9000 fail_timeout=0;
}



server {
	listen      80 default_server;
	server_name "";
	return      444;
}

server {
	listen 443 ssl http2 default_server;
	server_name "";

	ssl on;
	ssl_certificate /etc/letsencrypt/live/jingrow.cloud/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/jingrow.cloud/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_ecdh_curve secp384r1;
	return      444;
}


# setup maps

map $host $site_name_sxjfjnv {
	jcloud.jingrow.com jingrow.cloud;
	default $host;
}

# server blocks

server {

	listen 443 ssl http2;


	server_name
		jingrow.cloud
		;

	root /home/jingrow/jingrow-bench/sites;

	ssl on;
    ssl_certificate /etc/letsencrypt/live/code.jcloud.jingrow.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/code.jcloud.jingrow.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_ecdh_curve secp384r1;


	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	return 301 https://jcloud.jingrow.com$request_uri;
}


# http to https redirect
	server {
    if ($host = jingrow.cloud) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
		listen 80;
		server_name
			jingrow.cloud
			;

		return 301 https://$host$request_uri;
}

proxy_cache_path /var/cache/nginx/jscache levels=1:2 keys_zone=jscache:100m inactive=30d  use_temp_path=off max_size=100m;
proxy_cache_path /var/cache/nginx/assets keys_zone=assets_cache:10m loader_threshold=300 loader_files=200 max_size=200m;

server {

	listen 443 ssl http2;


	server_name
		jcloud.jingrow.com
		;

	root /home/jingrow/jingrow-bench/sites;

	ssl on;
    ssl_certificate /etc/letsencrypt/live/code.jcloud.jingrow.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/code.jcloud.jingrow.com/privkey.pem; # managed by Certbot

        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_ecdh_curve secp384r1;

	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;



	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";


	location /status {
		auth_basic "NGINX VTS";
		auth_basic_user_file /home/jingrow/jingrow-bench/monitoring.htpasswd;

		vhost_traffic_status_display;
		vhost_traffic_status_display_format html;
	}

	location /metrics {
		auth_basic "Prometheus";
		auth_basic_user_file /home/jingrow/jingrow-bench/monitoring.htpasswd;

		location /metrics/node {
			proxy_pass http://127.0.0.1:9100/metrics;
		}

		location /metrics/docker {
			proxy_pass http://127.0.0.1:9323/metrics;
		}

		location /metrics/cadvisor {
			proxy_pass http://127.0.0.1:9338/metrics;
		}

		location /metrics/nginx {
			vhost_traffic_status_display;
			vhost_traffic_status_display_format prometheus;
		}

		location /metrics/mariadb {
			proxy_pass http://127.0.0.1:9104/metrics;
		}

		location /metrics/gunicorn {
			proxy_pass http://127.0.0.1:9102/metrics;
		}

		location /metrics/process {
			proxy_pass http://127.0.0.1:9256/metrics;
		}

		location /metrics/rq {
			proxy_pass http://127.0.0.1:9726/metrics;
		}

		location /metrics/redis {
			proxy_pass http://127.0.0.1:9121/metrics;
		}

		location /metrics/jcloude {
			proxy_http_version 1.1;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
			proxy_set_header Host $host;
			proxy_set_header X-Use-X-Accel-Redirect True;
			proxy_read_timeout 120;
			proxy_redirect off;

			proxy_set_header Authorization ""; 
			rewrite /metrics/jcloude /metrics  break;

			proxy_pass  http://jingrow-bench-jingrow;
		}	
	}

	location /assets {
		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;
		proxy_cache_bypass $http_secret_cache_purge;
		add_header X-Cache-Status $upstream_cache_status;

		add_header Cache-Control "max-age=31536000";
		try_files $uri =404;
	}

	location ~ ^/protected/(.*) {
		internal;
		try_files /$site_name_sxjfjnv/$1 =404;
	}

	location = /js/script.js {
		proxy_pass https://analytics.jingrow.cloud/js/plausible.js;
		proxy_buffering on;

		proxy_cache jscache;
		proxy_cache_valid 200 6h;
		proxy_cache_use_stale updating error timeout invalid_header http_500;

		proxy_set_header Host analytics.jingrow.cloud;
		proxy_ssl_name analytics.jingrow.cloud;
		proxy_ssl_server_name on;
		proxy_ssl_session_reuse off;

		proxy_ssl_protocols TLSv1.3;
		proxy_hide_header Cache-Control;
		proxy_ignore_headers Cache-Control;
		add_header Cache-Control "max-age=31536000";
		add_header X-Cache-Status $upstream_cache_status;
	}

	location = /api/event {
		proxy_pass https://analytics.jingrow.cloud/api/event;
		proxy_buffering on;
		proxy_http_version 1.1;

		proxy_set_header X-Forwarded-For   $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Host  $host;

		proxy_set_header Host analytics.jingrow.cloud;
		proxy_ssl_name analytics.jingrow.cloud;
		proxy_ssl_server_name on;
		proxy_ssl_session_reuse off;

		proxy_ssl_protocols TLSv1.3;
		add_header Cache-Control "max-age=31536000";
	}

	location /socket.io {
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Origin $scheme://$http_host;
		proxy_set_header Host $host;

		proxy_pass http://jingrow-bench-socketio-server;
	}

	location = /website_script.js {
		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;
		proxy_cache_bypass $http_secret_cache_purge;

		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_hide_header Set-Cookie;
		proxy_ignore_headers Set-Cookie;
		proxy_set_header Cookie "";

		add_header Cache-Control "max-age=31536000";
		proxy_pass  http://jingrow-bench-jingrow;
	}

	location ~ ^/saas/billing.* {
		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;

		proxy_ignore_headers "Set-Cookie";
		proxy_hide_header "Set-Cookie";
		proxy_set_header Cookie "";

		add_header Content-Security-Policy "frame-ancestors 'self' https://*.erpnext.com https://*.frappehr.com https://*.jingrow.cloud https://*.frappedesk.com;";
		add_header X-Cache-Status $upstream_cache_status;

		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass http://jingrow-bench-jingrow;
		http2_push_preload on;
	}

	location ~ ^/dashboard/checkout* {
		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;

		proxy_ignore_headers "Set-Cookie";
		proxy_hide_header "Set-Cookie";
		proxy_set_header Cookie "";

		add_header Content-Security-Policy "frame-ancestors 'self' https://*.erpnext.com https://*.frappehr.com https://*.jingrow.cloud https://*.frappedesk.com;";
		add_header X-Cache-Status $upstream_cache_status;

		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass http://jingrow-bench-jingrow;
		http2_push_preload on;
	}

	location ~ ^/dashboard/in-desk-billing* {
		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;

		proxy_ignore_headers "Set-Cookie";
		proxy_hide_header "Set-Cookie";
		proxy_set_header Cookie "";

		add_header Content-Security-Policy "frame-ancestors 'self' https://*.erpnext.com https://*.frappehr.com https://*.jingrow.cloud https://*.frappedesk.com;";
		add_header X-Cache-Status $upstream_cache_status;

		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass http://jingrow-bench-jingrow;
		http2_push_preload on;
	}

	location ~ ^/api/method/jcloude.api.developer.saas.* {
		if ($request_method = 'OPTIONS') {
			add_header Access-Control-Allow-Origin "*" always;
			add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
			add_header Access-Control-Allow-Headers "x-jingrow-cmd,x-jingrow-csrf-token";
			add_header Access-Control-Max-Age 1728000;
			add_header Content-Type "text/plain; charset=utf-8";
			add_header Content-Length 0;
			return 204;
		}

		proxy_cache assets_cache;
		proxy_cache_key $scheme$host$request_uri;
		proxy_cache_valid 200 302 10m;
		proxy_cache_valid 404 1m;

		add_header Access-Control-Allow-Origin "*" always;
		add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
		add_header Access-Control-Allow-Headers "x-jingrow-cmd,x-jingrow-csrf-token";

		add_header X-Cache-Status $upstream_cache_status;

		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass http://jingrow-bench-jingrow;
		http2_push_preload on;
	}

	location / {

		rewrite ^(.+)/$ $1 permanent;
		rewrite ^(.+)/index\.html$ $1 permanent;
		rewrite ^(.+)\.html$ $1 permanent;

		location ~ ^/files/.*.(png|jpe?g|gif|css|js|mp3|wav|ogg|flac|avi|mov|mp4|m4v|mkv|webm) {
			add_header Cache-Control "max-age=31536000";
			try_files /$site_name_sxjfjnv/public/$uri @webserver;
		}

		location ~* ^/files/.*.(htm|html|svg|xml) {
			add_header Cache-Control "max-age=31536000";
			add_header Content-disposition "attachment";
			try_files /$site_name_sxjfjnv/public/$uri @webserver;
		}

		try_files /$site_name_sxjfjnv/public/$uri @webserver;
	}

	location @webserver {
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $REMOTE_ADDR;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Jingrow-Site-Name $site_name_sxjfjnv;
		proxy_set_header Host $host;
		proxy_set_header X-Use-X-Accel-Redirect True;
		proxy_read_timeout 120;
		proxy_redirect off;

		proxy_pass  http://jingrow-bench-jingrow;
		http2_push_preload on;
	}

	# error pages
	error_page 502 /502.html;
	location /502.html {
		root /home/jingrow/.pyenv/versions/3.10.0/lib/python3.10/site-packages/bench/config/templates;
		internal;
	}

	# optimizations
	sendfile on;
	keepalive_timeout 15;
	client_max_body_size 50m;
	client_body_buffer_size 16K;
	client_header_buffer_size 1k;

	# enable gzip compresion
	# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
	gzip on;
	gzip_http_version 1.1;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/rss+xml
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/font-woff
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/svg+xml
		image/x-icon
		text/css
		text/plain
		text/x-component
		;
		# text/html is always compressed by HttpGzipModule
}

# http to https redirect
	server {
	if ($host = jcloud.jingrow.com) {
		return 301 https://$host$request_uri;
	} # managed by Certbot


		listen 80;
		server_name
			jcloud.jingrow.com
			;

		return 301 https://$host$request_uri;


}