nginx.conf.sample

# EXAMPLE NGINX.CONF - CHANGE TO FIT YOUR SITUATION

user nginx;
worker_processes auto;
daemon off;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    client_max_body_size 10m;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    server {
        listen 80;
        server_name <YOUR.EDUBADGES-FRONTEND.SERVER>;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name <YOUR.EDUBADGES-FRONTEND.SERVER>;
        ssl_certificate <PATH-TO-CERTIFICATE-FILE>;
        ssl_certificate_key <PATH-TO-KEY-FILE>;
        ssl_protocols TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES
 !MD5 !EXP !PSK !SRP !DSS !RC4";

        gzip on;
        gzip_types      text/css application/xml image/svg+xml image/png image/jpg application/octet-stream application/javascript;
        gzip_proxied    no-cache no-store private expired auth;

        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Access-Control-Allow-Origin "<YOUR-DOMAIN>";
        add_header Referrer-Policy "no-referrer-when-downgrade";

        location ~  "^/(version\.txt|version\.json)$" {
          allow all;
          root opt/site;
          index index.html;
          add_header Cache-Control 'private, no-cache, no-store' always;
        }

        location ~ "^/styleguide/?" {
            allow <YOUR SUBNET>;
            index index.html;
            root opt/site;
        }

        location ~ "^/(index.html)?$" {
          add_header Cache-Control 'private, no-cache, no-store' always;
          allow all;
          index index.html;
          root /opt/site;
        }

        location ~ / {
          allow all;
          try_files $uri @no_cache;
          index index.html;
          root /opt/site;
        }

        location @no_cache {
          add_header Cache-Control 'private, no-cache, no-store' always;
          try_files $request_uri /index.html;
          root /opt/site;
          index index.html;
        }

        if ($request_method !~ ^(GET|HEAD|POST)$ ) {
           return 405;
        }
    }
}