A collection of NGINX snippets designed to be used for hosting multiple Node.js servers.
I use these settings behind Cloudflare to provide Full (strict) end-to-end encryption. Using a Cloudflare Origin CA certificate is the easiest way to accomplish this, although this certificate is not trusted by clients; meaning you must use a different certificate issued by CA (such as Let's Encrypt) in order to server traffic that does not pass through Cloudflare.
For other NGINX setups, Digital Ocean's NGINXConfig tool is a great place to start.
Base server settings that:
- Set-up logging.
- Import other config files.
- Specifies TLS settings.
- Provides variables for other configuration files.
Adds general security headers to all requests.
- Restrictive CORS & permissions policy
- iFrame blocking
- Tracking blocking
Note: these headers include HSTS, meaning if you don't plan to support HTTPS on all hosted sites now and into the future, you must remove this header.
Force all HTTP connections to retry via HTTPS. Subsequently, all other NGINX server blocks should listen on port 443.
By default, a certificate at /etc/ssl/certs/certificate.pem with a key at /etc/ssl/private/certificate.key are used. These names and locations can of course be changed.
If multiple certificates are needed for various domains, the default certificate can be overridden inside a server block using the following snippet.
ssl_certificate /etc/ssl/certs/other-cert.pem;
ssl_certificate_key /etc/ssl/private/other-cert.key;
Configures various request and response timeouts to be 30 seconds.
Various proxy parameters that ensure information is correctly passed to the server to be included in each proxy server location block.
Route requests to the domain example.com to the server running locally on the port 9000.
server {
listen 443;
server_name subdomain.example.com example.com;
location / {
proxy_pass http://127.0.0.1:9000;
include /etc/nginx/snippets/proxy-params.conf;
}
}