phantomas/test/nginx-static.conf at 2535dd00d0e71e036ae9550585e602bf06eeeaa1 · macbre/phantomas · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
server {
    listen       80;
    server_name  localhost;

    server_tokens off;
    more_clear_headers 'X-Frame-Options';
    more_clear_headers 'X-XSS-Protection';
    more_clear_headers 'Content-Security-Policy';
    more_set_headers 'Server: nginx';

    root   /static;

    location / {
        autoindex on;

        gzip_static on;
        brotli_static on;

        expires 1d;
    }

    # no content for the favicon (the default 404 response is treated as HTML)
    location /favicon.ico {
        return 204;
    }

    # disable compresssion for a specific asset
    location /static/jquery-1.4.4.min.js {
        gzip off;
    }

    # modify the cache expiration for these URLs
    location /static/mdn-no-cache.png {
        alias /static/static/mdn.png;
        expires 0;
    }

    location /static/mdn-short-cache.png {
        alias /static/static/mdn.png;
        expires 1h;
    }

    # 4xx and 5xx error codes
    # https://httpstatuses.com/401
    location /_401 {
        return 401;
    }

    # https://httpstatuses.com/403
    location /_403 {
        return 403;
    }

    # https://httpstatuses.com/500
    location /_500 {
        return 500;
    }

}

server {
    # http/1.1 and old TLS (do not change!)
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /etc/nginx/localhost.crt;
    ssl_certificate_key  /etc/nginx/localhost.key;
    ssl_protocols        TLSv1.2;

    root   /static;

    location / {
        autoindex on;
    }
}


server {
    # http/2
    listen 444 ssl;
    http2 on;

    server_name  localhost;

    ssl_certificate      /etc/nginx/localhost.crt;
    ssl_certificate_key  /etc/nginx/localhost.key;

    root   /static;

    location / {
        autoindex on;
    }
}


server {
    # quic and http/3
    listen 445 quic reuseport;
    # http/2 fallback
    listen 445 ssl;
    http2 on;

    server_name localhost;

    ssl_certificate      /etc/nginx/localhost.crt;
    ssl_certificate_key  /etc/nginx/localhost.key;

    # Enable all TLS versions (TLSv1.3 is required for QUIC).
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

    # 0-RTT QUIC connection resumption
    ssl_early_data on;

    # Add Alt-Svc header to negotiate HTTP/3.
    # port 9001 is what's presented to the client (see docker compose YAML file)
    add_header alt-svc 'h3=":9001"; ma=2592000,h3-29=":9001"; ma=2592000,h3-T051=":9001"; ma=2592000,h3-Q050=":9001"; ma=2592000,h3-Q046=":9001"; ma=2592000,h3-Q043=":9001"; ma=2592000,quic=":9001"; ma=2592000; v="46,43"';
    add_header x-Http3 $http3;     # Sent when http3 was used

    root   /static;

    location / {
        autoindex on;
    }
}