forked from alphagov/govuk-design-system
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
192 lines (151 loc) · 5.82 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
# Unfortunately the staticfile buildpack has some limitations (e.g. it's hard to
# implement cache control because you can only add configuration to the location
# block) so we have to roll our own nginx configuration.
#
# A lot of this is based on the nginx configuration from the 'example' nginx
# buildpack [1] and the staticfile buildpack [2]
#
# [1]: https://github.com/cloudfoundry/nginx-buildpack/blob/d777ce54d4641a821d493a2d8d4661b07d53e735/fixtures/mainline/nginx.conf
# [2]: https://github.com/cloudfoundry/staticfile-buildpack/blob/05867b82df7e5f6f1155ce193a424a79693967bb/src/staticfile/finalize/data.go
worker_processes 1;
daemon off;
error_log stderr;
events { worker_connections 1024; }
http {
charset utf-8;
# Configure logging
log_format cloudfoundry 'NginxLog "$request" $status $body_bytes_sent';
access_log /dev/stdout cloudfoundry;
# MIME types and default MIME types
default_type application/octet-stream;
include nginx/mime.types;
charset_types text/xml text/plain application/javascript application/rss+xml text/css;
# Enabling sendfile eliminates copying file data into buffer and sends it
# directly
sendfile on;
# Enable gzip for text-based resources
gzip on;
gzip_disable "msie6";
gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gunzip on;
gzip_static always;
gzip_types
application/javascript
application/json
application/x-javascript
application/xml
application/xml+rss
image/svg+xml
image/x-icon
text/css
text/javascript
text/js
text/plain
text/xml;
gzip_vary on;
# Yeah, like, networking stuff ¯\_(ツ)_/¯
tcp_nopush on;
keepalive_timeout 30;
# Disable absolute redirects
#
# The index directive (1) used in the nginx config within the buildpack means
# that we send a 301 redirect when visiting a directory without a trailing
# slash (e.g. /design-system will redirect to /design-system/).
#
# However by default nginx will use absolute URLs – including the hostname –
# when redirecting, which means that users going to
# design-system.service.gov.uk/components will end up being redirected to our
# 'origin domain' (govuk-design-system-origin.cloudapps.digital/components/)
# which is less than ideal.
#
# Disabling absolute redirects (2) means that nginx will instead 301 to the
# relative url /design-system, which means users won't be redirected away from
# the service domain and everything is A-OK ✌️
#
# [1]: http://nginx.org/en/docs/http/ngx_http_index_module.html#index
# [2]: http://nginx.org/en/docs/http/ngx_http_core_module.html#absolute_redirect
absolute_redirect off;
# Ensure that redirects don't include the port which nginx is using inside the
# CloudFoundry container
port_in_redirect off;
# Send different expires headers depending on the content-type of the resource
# we're returning. It should be safe to cache CSS, JavaScript and fonts
# 'indefinitely' as they should include fingerprints in their filenames.
#
# Because images and videos are not fingerprinted we only cache them for 30
# minutes.
#
# The epoch parameter corresponds to the absolute time
# 'Thu, 01 Jan 1970 00:00:01 GMT'.
map $sent_http_content_type $expires {
default off;
text/html epoch;
text/css max;
text/javascript max;
application/json max;
~application/x-font max;
~application/font max;
application/vnd.ms-fontobject max;
~image/ 30m;
~video/ 30m;
}
expires $expires;
# Determine whether to use authentication based on what host the request is
# made against - 'off' is a special value that disables basic authentication
# when passed to the auth_basic directive.
map $host $auth_enabled {
hostnames;
default "Restricted";
design-system.service.gov.uk "off";
}
# Set up a server!
server {
listen {{port}} default_server;
root public;
location / {
index index.html index.htm;
# Configure error pages
error_page 404 /errors/404/index.html;
error_page 400 401 402 403 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /errors/generic/index.html;
# Configure basic authentication - this is disabled on the service domain.
# See above definition of $auth_enabled using the map directive.
auth_basic $auth_enabled;
auth_basic_user_file nginx/.htpasswd;
# Redirect to the Cabinet Office's responsible disclosure policy
# https://github.com/alphagov/security.txt
location = /security.txt {
return 302 https://vdp.cabinetoffice.gov.uk/.well-known/security.txt;
}
location = /.well-known/security.txt {
return 302 https://vdp.cabinetoffice.gov.uk/.well-known/security.txt;
}
# Handle form submissions from examples that contain forms by redirecting
# them back to the referring example. This relies on form examples within
# the design system being set up to POST to `/form-handler`.
#
# If for whatever reason there is no referrer, then redirect to the
# homepage instead.
#
# Note that this will only work when deployed to CloudFoundry – Netlify
# does not use this config at all.
location /form-handler {
if ($http_referer) {
return 302 $http_referer;
}
return 302 /;
}
# Avoid serving hidden ('dot') files
location ~ /\. {
deny all;
return 404;
}
# Allow smoke tests without authentication
location /__canary__ {
auth_basic off;
}
}
}
}