Skip to content

changelog: internal, ci, update nginx image for easier deployment #12417

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stephencshelton merged 1 commit into from
Aug 11, 2025
Merged

changelog: internal, ci, update nginx image for easier deployment #12417

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 14 additions & 5 deletions dockerfiles/nginx-prod.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,12 @@
# user nginx;
# user nginx;
worker_processes 2;
worker_rlimit_nofile 2048;
pid /var/run/nginx.pid;
daemon off;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;

# Main context error log
error_log /dev/stdout info;

events {
worker_connections 1024;
Expand Down Expand Up @@ -60,10 +62,16 @@ http {
# Add CloudFront source address ranges to trusted CIDR range for real ip computation
include /etc/nginx/cloudfront-ips.conf;

# logging
# HTTP context logging
access_log /dev/stdout;
error_log /dev/stdout info;

client_body_temp_path /var/lib/nginx/tmp/client_body;
proxy_temp_path /var/lib/nginx/tmp/proxy_temp;
fastcgi_temp_path /var/lib/nginx/tmp/fastcgi_temp;
uwsgi_temp_path /var/lib/nginx/tmp/uwsgi_temp;
scgi_temp_path /var/lib/nginx/tmp/scgi_temp;

# Specify a key=value format useful for machine parsing
log_format kv escape=json
'{'
Expand Down Expand Up @@ -128,8 +136,9 @@ http {
ssl_protocols TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_stapling on;
ssl_stapling_verify on;
# Disable SSL stapling for self-signed certificates to avoid warnings
# ssl_stapling on;
# ssl_stapling_verify on;
resolver_timeout 5s;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
Expand Down Expand Up @@ -232,4 +241,4 @@ http {
proxy_pass https://0.0.0.0:3000;
}
}
}
}
9 changes: 9 additions & 0 deletions dockerfiles/nginx.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,15 @@ COPY ./dockerfiles/nginx-prod.conf /etc/nginx/nginx.conf
COPY ./dockerfiles/status-map.conf /etc/nginx/
RUN /update-ips.sh

RUN mkdir -p /var/lib/nginx/tmp/client_body \
/var/lib/nginx/tmp/proxy_temp \
/var/lib/nginx/tmp/fastcgi_temp \
/var/lib/nginx/tmp/uwsgi_temp \
/var/lib/nginx/tmp/scgi_temp \
/var/lib/nginx/logs && \
chown -R 100:1000 /var/lib/nginx && \
chmod -R 755 /var/lib/nginx

# Generate and place SSL certificates for nginx (used only by ALB)
RUN mkdir /keys
RUN openssl req -x509 -sha256 -nodes -newkey rsa:2048 -days 1825 \
Expand Down