├── Dockerfile ├── LICENSE ├── README.md ├── docker-entrypoint.sh ├── h5bp ├── README.md ├── basic.conf ├── directive-only │ ├── cache-file-descriptors.conf │ ├── cross-domain-insecure.conf │ ├── extra-security.conf │ ├── no-transform.conf │ ├── spdy.conf │ ├── ssl-stapling.conf │ ├── ssl.conf │ └── x-ua-compatible.conf └── location │ ├── cache-busting.conf │ ├── cross-domain-fonts.conf │ ├── expires.conf │ └── protect-system-files.conf ├── mime.types └── templates ├── nginx.conf.j2 ├── sites-available └── example.com.j2 └── sites-enabled └── example.com /Dockerfile: -------------------------------------------------------------------------------- 1 | # 2 | # Nginx, with Python and j2cli to evaluate Jinja2 templates. 3 | # 4 | # Config based off h5bp 5 | # See https://github.com/h5bp/server-configs-nginx 6 | # 7 | 8 | FROM nginx 9 | 10 | RUN apt-get update && \ 11 | apt-get install -y python-setuptools && \ 12 | easy_install j2cli && \ 13 | apt-get purge -y --auto-remove && rm -rf /var/lib/apt/lists/* 14 | 15 | RUN ln -sf /dev/stdout /var/log/nginx/static.log 16 | 17 | COPY ./mime.types /etc/nginx/mime.types 18 | COPY ./h5bp /etc/nginx/h5bp 19 | 20 | # Templates for nginx config files 21 | COPY /templates /templates 22 | COPY ./docker-entrypoint.sh / 23 | 24 | # Directory for extra initialization scripts 25 | RUN mkdir /docker-entrypoint-init.d 26 | 27 | EXPOSE 80 443 28 | CMD ["nginx"] 29 | ENTRYPOINT ["/docker-entrypoint.sh"] 30 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 Alan Descoins 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | nginx-docker 2 | ============ 3 | Based on official nginx Docker image and h5bp, with templating and custom intialization script support. 4 | 5 | Rationale 6 | --------- 7 | I wanted an [nginx](http://nginx.org/) image that met the following criteria: 8 | 9 | * Extends the [official nginx image](https://github.com/docker-library/docs/tree/master/nginx). 10 | * Supports a configuration file template that is evaluated from environment variables, as described in [this blog post](http://blog.tryolabs.com/2015/03/26/configurable-docker-containers-for-multiple-environments/). 11 | * Its base configuration stems from best practices outlined in [h5bp](https://github.com/h5bp/server-configs-nginx). 12 | * Can run arbitrary scripts at startup easily. 13 | 14 | Thus, **nginx-docker** was born. 15 | 16 | How it works 17 | ------------ 18 | Nginx config files are generated from [Jinja2](http://jinja.pocoo.org/docs/dev/) templates. The values of the variables are resolved from the environment variables (ie. those used by Docker and those passed by `docker run`). 19 | 20 | This is what happens when the container runs: 21 | 22 | 1. Whatever is in the `/templates` directory is copied to `/etc/nginx`. 23 | 2. All files of the form `.j2` (the extension of Jinja2 templates) inside `/etc/nginx` are found (recursively) and evaluated, leaving them as ``. For example, `/etc/nginx/sites-enabled/mysite.com.j2` would be stored as `/etc/nginx/sites-enabled/mysite.com`. 24 | 3. All `.sh` scripts present in `/docker-entrypoint-init.d` (if any) are executed. 25 | 4. Finally, nginx starts. 26 | 27 | How to use this image 28 | --------------------- 29 | Before you get started, make sure you understand how the [official nginx image](https://github.com/docker-library/docs/tree/master/nginx) works, since this one is an extension. 30 | 31 | ### Using docker run 32 | You may run a container from this image with: 33 | 34 | ``` 35 | docker run --name some-nginx dekked/nginx-docker 36 | ``` 37 | 38 | If you are not providing custom template files, the default ones for *example.com* site (based on [h5bp](https://github.com/h5bp/server-configs-nginx)) are going to be used. See the [templates](https://github.com/dekked/nginx-docker/tree/master/templates) directory. 39 | 40 | If you wish to run with your own templates or scripts, you can do so as follows: 41 | 42 | ``` 43 | docker run --name some-nginx -v ":/templates" -v ":/docker-entrypoint-init.d" dekked/nginx-docker 44 | ``` 45 | 46 | The default templates don't include any variables, but they can be easily added. For example, if your nginx site conf is like: 47 | 48 | ``` 49 | server { 50 | listen 80; 51 | server_name {{ NGINX_CONF_SERVER_NAME }}; # different on dev and prod 52 | 53 | # ... 54 | } 55 | ``` 56 | 57 | Then you could run like `docker run --name some-nginx -v "/your-site.j2:/templates/sites-enabled/yoursite.com.j2" -e "NGINX_CONF_SERVER_NAME=yoursite.com" -it dekked/nginx-docker`. 58 | 59 | ### Using Docker-Compose 60 | With [Docker-Compose](https://docs.docker.com/compose/), a service may be defined like this: 61 | 62 | ```yml 63 | nginx: 64 | image: dekked/nginx-docker 65 | ports: 66 | - "80:80" 67 | volumes: 68 | - /:/templates 69 | - :/docker-entrypoint-init.d 70 | env: 71 | MY_ENV_VAR: value 72 | env_file: 73 | - /nginx.env 74 | # ... 75 | ``` 76 | 77 | Contributing 78 | ------------ 79 | You are invited to contribute new features, fixes, or updates, large or small; I am always thrilled to receive pull requests, and do my best to process them as fast as I can. 80 | 81 | Authors 82 | ------- 83 | * Alan Descoins - alan@tryolabs.com 84 | -------------------------------------------------------------------------------- /docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | # Copy all templates to /etc/nginx/, evaluate them and delete the files 4 | cp -R /templates/* /etc/nginx/ 5 | for f in $(find /etc/nginx/ -type f -name "*.j2"); do 6 | echo -e "Evaluating template\n\tSource: $f\n\tDest: ${f%.j2}" 7 | j2 $f > ${f%.j2} 8 | rm -f $f 9 | done 10 | 11 | for f in /docker-entrypoint-init.d/*; do 12 | case "$f" in 13 | *.sh) echo "Running $f"; . "$f" ;; 14 | *) echo "Ignoring $f" ;; 15 | esac 16 | echo 17 | done 18 | 19 | cd /etc/nginx 20 | exec "$@" 21 | -------------------------------------------------------------------------------- /h5bp/README.md: -------------------------------------------------------------------------------- 1 | Component-config files 2 | ---------------------- 3 | 4 | Each of these files is intended to be included in a server block. Not all of 5 | the files here are used - they are available to be included as required. The 6 | `basic.conf` file includes the rules which are recommended to always be 7 | defined. 8 | -------------------------------------------------------------------------------- /h5bp/basic.conf: -------------------------------------------------------------------------------- 1 | # Basic h5bp rules 2 | 3 | include h5bp/directive-only/x-ua-compatible.conf; 4 | include h5bp/location/expires.conf; 5 | include h5bp/location/cross-domain-fonts.conf; 6 | include h5bp/location/protect-system-files.conf; 7 | -------------------------------------------------------------------------------- /h5bp/directive-only/cache-file-descriptors.conf: -------------------------------------------------------------------------------- 1 | # This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc. 2 | # 3 | # The upside of this is that Nginx can immediately begin sending data when a popular file is requested, 4 | # and will also know to immediately send a 404 if a file is missing on disk, and so on. 5 | # 6 | # However, it also means that the server won't react immediately to changes on disk, which may be undesirable. 7 | # 8 | # In the below configuration, inactive files are released from the cache after 20 seconds, whereas 9 | # active (recently requested) files are re-validated every 30 seconds. 10 | # 11 | # Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time). 12 | # 13 | # A maximum of the 1000 most recently used file descriptors can be cached at any time. 14 | # 15 | # Production servers with stable file collections will definitely want to enable the cache. 16 | open_file_cache max=1000 inactive=20s; 17 | open_file_cache_valid 30s; 18 | open_file_cache_min_uses 2; 19 | open_file_cache_errors on; 20 | -------------------------------------------------------------------------------- /h5bp/directive-only/cross-domain-insecure.conf: -------------------------------------------------------------------------------- 1 | # Cross domain AJAX requests 2 | 3 | # http://www.w3.org/TR/cors/#access-control-allow-origin-response-header 4 | 5 | # **Security Warning** 6 | # Do not use this without understanding the consequences. 7 | # This will permit access from any other website. 8 | # 9 | add_header "Access-Control-Allow-Origin" "*"; 10 | 11 | # Instead of using this file, consider using a specific rule such as: 12 | # 13 | # Allow access based on [sub]domain: 14 | # add_header "Access-Control-Allow-Origin" "subdomain.example.com"; 15 | -------------------------------------------------------------------------------- /h5bp/directive-only/extra-security.conf: -------------------------------------------------------------------------------- 1 | # The X-Frame-Options header indicates whether a browser should be allowed 2 | # to render a page within a frame or iframe. 3 | add_header X-Frame-Options SAMEORIGIN; 4 | 5 | # MIME type sniffing security protection 6 | # There are very few edge cases where you wouldn't want this enabled. 7 | add_header X-Content-Type-Options nosniff; 8 | 9 | # The X-XSS-Protection header is used by Internet Explorer version 8+ 10 | # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. 11 | add_header X-XSS-Protection "1; mode=block"; 12 | 13 | # with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), 14 | # you can tell the browser that it can only download content from the domains you explicitly allow 15 | # CSP can be quite difficult to configure, and cause real issues if you get it wrong 16 | # There is website that helps you generate a policy here http://cspisawesome.com/ 17 | # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;"; 18 | -------------------------------------------------------------------------------- /h5bp/directive-only/no-transform.conf: -------------------------------------------------------------------------------- 1 | # Prevent mobile network providers from modifying your site 2 | # 3 | # (!) If you are using `ngx_pagespeed`, please note that setting 4 | # the `Cache-Control: no-transform` response header will prevent 5 | # `PageSpeed` from rewriting `HTML` files, and, if 6 | # `pagespeed DisableRewriteOnNoTransform off` is not used, also 7 | # from rewriting other resources. 8 | # 9 | # https://developers.google.com/speed/pagespeed/module/configuration#notransform 10 | 11 | add_header "Cache-Control" "no-transform"; 12 | -------------------------------------------------------------------------------- /h5bp/directive-only/spdy.conf: -------------------------------------------------------------------------------- 1 | # Nginx's spdy module is compiled by default from 1.6 2 | # SPDY only works on HTTPS connections 3 | 4 | # Inform browser of SPDY availability 5 | add_header Alternate-Protocol 443:npn-spdy/3; 6 | 7 | # Adjust connection keepalive for SPDY clients: 8 | spdy_keepalive_timeout 300; # up from 180 secs default 9 | 10 | # enable SPDY header compression 11 | spdy_headers_comp 6; 12 | -------------------------------------------------------------------------------- /h5bp/directive-only/ssl-stapling.conf: -------------------------------------------------------------------------------- 1 | # OCSP stapling... 2 | ssl_stapling on; 3 | ssl_stapling_verify on; 4 | 5 | #trusted cert must be made up of your intermediate certificate followed by root certificate 6 | #ssl_trusted_certificate /path/to/ca.crt; 7 | 8 | resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s; 9 | resolver_timeout 2s; 10 | -------------------------------------------------------------------------------- /h5bp/directive-only/ssl.conf: -------------------------------------------------------------------------------- 1 | # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add 2 | # SSLv3 to the list of protocols below. 3 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 4 | 5 | # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx 6 | ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA; 7 | ssl_prefer_server_ciphers on; 8 | 9 | # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes. 10 | # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. 11 | # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. 12 | # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. 13 | ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions 14 | ssl_session_timeout 24h; 15 | 16 | # SSL buffer size was added in 1.5.9 17 | #ssl_buffer_size 1400; # 1400 bytes to fit in one MTU 18 | 19 | # Session tickets appeared in version 1.5.9 20 | # 21 | # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and 22 | # when a restart is performed the previous key is lost, which resets all previous 23 | # sessions. The fix for this is to setup a manual rotation mechanism: 24 | # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx 25 | # 26 | # Note that you'll have to define and rotate the keys securely by yourself. In absence 27 | # of such infrastructure, consider turning off session tickets: 28 | #ssl_session_tickets off; 29 | 30 | # Use a higher keepalive timeout to reduce the need for repeated handshakes 31 | keepalive_timeout 300; # up from 75 secs default 32 | 33 | # HSTS (HTTP Strict Transport Security) 34 | # This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS. 35 | #add_header Strict-Transport-Security "max-age=31536000;"; 36 | # This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS 37 | #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; 38 | 39 | # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). 40 | # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. 41 | #ssl_certificate /etc/nginx/default_ssl.crt; 42 | #ssl_certificate_key /etc/nginx/default_ssl.key; 43 | 44 | # Consider using OCSP Stapling as shown in ssl-stapling.conf 45 | -------------------------------------------------------------------------------- /h5bp/directive-only/x-ua-compatible.conf: -------------------------------------------------------------------------------- 1 | # Force the latest IE version 2 | add_header "X-UA-Compatible" "IE=Edge"; 3 | -------------------------------------------------------------------------------- /h5bp/location/cache-busting.conf: -------------------------------------------------------------------------------- 1 | # Built-in filename-based cache busting 2 | 3 | # https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403 4 | # This will route all requests for /css/style.20120716.css to /css/style.css 5 | # Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting 6 | # This is not included by default, because it'd be better if you use the build 7 | # script to manage the file names. 8 | location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ { 9 | try_files $uri $1.$2; 10 | } 11 | -------------------------------------------------------------------------------- /h5bp/location/cross-domain-fonts.conf: -------------------------------------------------------------------------------- 1 | # Cross domain webfont access 2 | location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { 3 | include h5bp/directive-only/cross-domain-insecure.conf; 4 | 5 | # Also, set cache rules for webfonts. 6 | # 7 | # See http://wiki.nginx.org/HttpCoreModule#location 8 | # And https://github.com/h5bp/server-configs/issues/85 9 | # And https://github.com/h5bp/server-configs/issues/86 10 | expires 1M; 11 | access_log off; 12 | add_header Cache-Control "public"; 13 | } 14 | -------------------------------------------------------------------------------- /h5bp/location/expires.conf: -------------------------------------------------------------------------------- 1 | # Expire rules for static content 2 | 3 | # No default expire rule. This config mirrors that of apache as outlined in the 4 | # html5-boilerplate .htaccess file. However, nginx applies rules by location, 5 | # the apache rules are defined by type. A consequence of this difference is that 6 | # if you use no file extension in the url and serve html, with apache you get an 7 | # expire time of 0s, with nginx you'd get an expire header of one month in the 8 | # future (if the default expire rule is 1 month). Therefore, do not use a 9 | # default expire rule with nginx unless your site is completely static 10 | 11 | # cache.appcache, your document html and data 12 | location ~* \.(?:manifest|appcache|html?|xml|json)$ { 13 | expires -1; 14 | access_log /var/log/nginx/static.log; 15 | } 16 | 17 | # Feed 18 | location ~* \.(?:rss|atom)$ { 19 | expires 1h; 20 | add_header Cache-Control "public"; 21 | } 22 | 23 | # Media: images, icons, video, audio, HTC 24 | location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ { 25 | expires 1M; 26 | access_log off; 27 | add_header Cache-Control "public"; 28 | } 29 | 30 | # CSS and Javascript 31 | location ~* \.(?:css|js)$ { 32 | expires 1y; 33 | access_log off; 34 | add_header Cache-Control "public"; 35 | } 36 | 37 | # WebFonts 38 | # If you are NOT using cross-domain-fonts.conf, uncomment the following directive 39 | # location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ { 40 | # expires 1M; 41 | # access_log off; 42 | # add_header Cache-Control "public"; 43 | # } 44 | -------------------------------------------------------------------------------- /h5bp/location/protect-system-files.conf: -------------------------------------------------------------------------------- 1 | # Prevent clients from accessing hidden files (starting with a dot) 2 | # This is particularly important if you store .htpasswd files in the site hierarchy 3 | location ~* (?:^|/)\. { 4 | deny all; 5 | } 6 | 7 | # Prevent clients from accessing to backup/config/source files 8 | location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ { 9 | deny all; 10 | } 11 | -------------------------------------------------------------------------------- /mime.types: -------------------------------------------------------------------------------- 1 | types { 2 | 3 | # Data interchange 4 | 5 | application/atom+xml atom; 6 | application/json json map topojson; 7 | application/ld+json jsonld; 8 | application/rss+xml rss; 9 | application/vnd.geo+json geojson; 10 | application/xml rdf xml; 11 | 12 | 13 | # JavaScript 14 | 15 | # Normalize to standard type. 16 | # https://tools.ietf.org/html/rfc4329#section-7.2 17 | application/javascript js; 18 | 19 | 20 | # Manifest files 21 | 22 | application/manifest+json webmanifest; 23 | application/x-web-app-manifest+json webapp; 24 | text/cache-manifest appcache; 25 | 26 | 27 | # Media files 28 | 29 | audio/midi mid midi kar; 30 | audio/mp4 aac f4a f4b m4a; 31 | audio/mpeg mp3; 32 | audio/ogg oga ogg opus; 33 | audio/x-realaudio ra; 34 | audio/x-wav wav; 35 | image/bmp bmp; 36 | image/gif gif; 37 | image/jpeg jpeg jpg; 38 | image/png png; 39 | image/svg+xml svg svgz; 40 | image/tiff tif tiff; 41 | image/vnd.wap.wbmp wbmp; 42 | image/webp webp; 43 | image/x-jng jng; 44 | video/3gpp 3gpp 3gp; 45 | video/mp4 f4v f4p m4v mp4; 46 | video/mpeg mpeg mpg; 47 | video/ogg ogv; 48 | video/quicktime mov; 49 | video/webm webm; 50 | video/x-flv flv; 51 | video/x-mng mng; 52 | video/x-ms-asf asx asf; 53 | video/x-ms-wmv wmv; 54 | video/x-msvideo avi; 55 | 56 | # Serving `.ico` image files with a different media type 57 | # prevents Internet Explorer from displaying then as images: 58 | # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee 59 | 60 | image/x-icon cur ico; 61 | 62 | 63 | # Microsoft Office 64 | 65 | application/msword doc; 66 | application/vnd.ms-excel xls; 67 | application/vnd.ms-powerpoint ppt; 68 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 69 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 70 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 71 | 72 | 73 | # Web fonts 74 | 75 | application/font-woff woff; 76 | application/font-woff2 woff2; 77 | application/vnd.ms-fontobject eot; 78 | 79 | # Browsers usually ignore the font media types and simply sniff 80 | # the bytes to figure out the font type. 81 | # https://mimesniff.spec.whatwg.org/#matching-a-font-type-pattern 82 | # 83 | # However, Blink and WebKit based browsers will show a warning 84 | # in the console if the following font types are served with any 85 | # other media types. 86 | 87 | application/x-font-ttf ttc ttf; 88 | font/opentype otf; 89 | 90 | 91 | # Other 92 | 93 | application/java-archive jar war ear; 94 | application/mac-binhex40 hqx; 95 | application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; 96 | application/pdf pdf; 97 | application/postscript ps eps ai; 98 | application/rtf rtf; 99 | application/vnd.google-earth.kml+xml kml; 100 | application/vnd.google-earth.kmz kmz; 101 | application/vnd.wap.wmlc wmlc; 102 | application/x-7z-compressed 7z; 103 | application/x-bb-appworld bbaw; 104 | application/x-bittorrent torrent; 105 | application/x-chrome-extension crx; 106 | application/x-cocoa cco; 107 | application/x-java-archive-diff jardiff; 108 | application/x-java-jnlp-file jnlp; 109 | application/x-makeself run; 110 | application/x-opera-extension oex; 111 | application/x-perl pl pm; 112 | application/x-pilot prc pdb; 113 | application/x-rar-compressed rar; 114 | application/x-redhat-package-manager rpm; 115 | application/x-sea sea; 116 | application/x-shockwave-flash swf; 117 | application/x-stuffit sit; 118 | application/x-tcl tcl tk; 119 | application/x-x509-ca-cert der pem crt; 120 | application/x-xpinstall xpi; 121 | application/xhtml+xml xhtml; 122 | application/xslt+xml xsl; 123 | application/zip zip; 124 | text/css css; 125 | text/html html htm shtml; 126 | text/mathml mml; 127 | text/plain txt; 128 | text/vcard vcard vcf; 129 | text/vnd.rim.location.xloc xloc; 130 | text/vnd.sun.j2me.app-descriptor jad; 131 | text/vnd.wap.wml wml; 132 | text/vtt vtt; 133 | text/x-component htc; 134 | 135 | } 136 | -------------------------------------------------------------------------------- /templates/nginx.conf.j2: -------------------------------------------------------------------------------- 1 | # nginx Configuration File 2 | # 3 | # Based off https://github.com/h5bp/server-configs-nginx 4 | # 5 | # Reference: http://wiki.nginx.org/Configuration 6 | # 7 | 8 | user root; 9 | daemon off; 10 | 11 | # How many worker threads to run; 12 | # "auto" sets it to the number of CPU cores available in the system, and 13 | # offers the best performance. Don't set it higher than the number of CPU 14 | # cores if changing this parameter. 15 | 16 | # The maximum number of connections for Nginx is calculated by: 17 | # max_clients = worker_processes * worker_connections 18 | worker_processes 2; 19 | 20 | # Maximum open file descriptors per process; 21 | # should be > worker_connections. 22 | worker_rlimit_nofile 8192; 23 | 24 | events { 25 | # When you need > 8000 * cpu_cores connections, you start optimizing your OS, 26 | # and this is probably the point at which you hire people who are smarter than 27 | # you, as this is *a lot* of requests. 28 | worker_connections 8000; 29 | } 30 | 31 | # Default error log file 32 | # (this is only used when you don't override error_log on a server{} level) 33 | error_log /var/log/nginx/error.log warn; 34 | pid /var/run/nginx.pid; 35 | 36 | http { 37 | 38 | # Hide nginx version information. 39 | server_tokens off; 40 | 41 | # Define the MIME types for files. 42 | include mime.types; 43 | default_type application/octet-stream; 44 | 45 | # Update charset_types due to updated mime.types 46 | charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json; 47 | 48 | # Format to use in log files 49 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 50 | '$status $body_bytes_sent "$http_referer" ' 51 | '"$http_user_agent" "$http_x_forwarded_for"'; 52 | 53 | # Default log file 54 | # (this is only used when you don't override access_log on a server{} level) 55 | access_log /var/log/nginx/access.log main; 56 | 57 | # How long to allow each connection to stay idle; longer values are better 58 | # for each individual client, particularly for SSL, but means that worker 59 | # connections are tied up longer. (Default: 65) 60 | keepalive_timeout 20; 61 | 62 | # Speed up file transfers by using sendfile() to copy directly 63 | # between descriptors rather than using read()/write(). 64 | sendfile on; 65 | 66 | # Tell Nginx not to send out partial frames; this increases throughput 67 | # since TCP frames are filled up before being sent out. (adds TCP_CORK) 68 | tcp_nopush on; 69 | 70 | 71 | # Compression 72 | 73 | # Enable Gzip compressed. 74 | gzip on; 75 | 76 | # Compression level (1-9). 77 | # 5 is a perfect compromise between size and cpu usage, offering about 78 | # 75% reduction for most ascii files (almost identical to level 9). 79 | gzip_comp_level 5; 80 | 81 | # Don't compress anything that's already small and unlikely to shrink much 82 | # if at all (the default is 20 bytes, which is bad as that usually leads to 83 | # larger files after gzipping). 84 | gzip_min_length 256; 85 | 86 | # Compress data even for clients that are connecting to us via proxies, 87 | # identified by the "Via" header (required for CloudFront). 88 | gzip_proxied any; 89 | 90 | # Tell proxies to cache both the gzipped and regular version of a resource 91 | # whenever the client's Accept-Encoding capabilities header varies; 92 | # Avoids the issue where a non-gzip capable client (which is extremely rare 93 | # today) would display gibberish if their proxy gave them the gzipped version. 94 | gzip_vary on; 95 | 96 | # Compress all output labeled with one of the following MIME-types. 97 | gzip_types 98 | application/atom+xml 99 | application/javascript 100 | application/json 101 | application/ld+json 102 | application/manifest+json 103 | application/rdf+xml 104 | application/rss+xml 105 | application/schema+json 106 | application/vnd.geo+json 107 | application/vnd.ms-fontobject 108 | application/x-font-ttf 109 | application/x-javascript 110 | application/x-web-app-manifest+json 111 | application/xhtml+xml 112 | application/xml 113 | font/eot 114 | font/opentype 115 | image/bmp 116 | image/svg+xml 117 | image/vnd.microsoft.icon 118 | image/x-icon 119 | text/cache-manifest 120 | text/css 121 | text/javascript 122 | text/plain 123 | text/vcard 124 | text/vnd.rim.location.xloc 125 | text/vtt 126 | text/x-component 127 | text/x-cross-domain-policy 128 | text/xml; 129 | # text/html is always compressed by HttpGzipModule 130 | 131 | # This should be turned on if you are going to have pre-compressed copies (.gz) of 132 | # static files available. If not it should be left off as it will cause extra I/O 133 | # for the check. It is best if you enable this in a location{} block for 134 | # a specific directory, or on an individual server{} level. 135 | # gzip_static on; 136 | 137 | # Include files in the sites-enabled folder. server{} configuration files should be 138 | # placed in the sites-available folder, and then the configuration should be enabled 139 | # by creating a symlink to it in the sites-available folder. 140 | # See doc/sites-enabled.md for more info. 141 | include sites-enabled/*; 142 | } -------------------------------------------------------------------------------- /templates/sites-available/example.com.j2: -------------------------------------------------------------------------------- 1 | # www to non-www redirect -- duplicate content is BAD: 2 | # https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L362 3 | # Choose between www and non-www, listen on the *wrong* one and redirect to 4 | # the right one -- http://wiki.nginx.org/Pitfalls#Server_Name 5 | server { 6 | # don't forget to tell on which port this server listens 7 | listen [::]:80; 8 | listen 80; 9 | 10 | # listen on the www host 11 | server_name www.example.com; 12 | 13 | # and redirect to the non-www host (declared below) 14 | return 301 $scheme://example.com$request_uri; 15 | } 16 | 17 | server { 18 | # listen [::]:80 accept_filter=httpready; # for FreeBSD 19 | # listen 80 accept_filter=httpready; # for FreeBSD 20 | # listen [::]:80 deferred; # for Linux 21 | # listen 80 deferred; # for Linux 22 | listen [::]:80; 23 | listen 80; 24 | 25 | # The host name to respond to 26 | server_name example.com; 27 | 28 | # Path for static files 29 | root /sites/example.com/public; 30 | 31 | #Specify a charset 32 | charset utf-8; 33 | 34 | # Custom 404 page 35 | error_page 404 /404.html; 36 | 37 | # Include the basic h5bp config set 38 | include h5bp/basic.conf; 39 | } -------------------------------------------------------------------------------- /templates/sites-enabled/example.com: -------------------------------------------------------------------------------- 1 | ../sites-available/example.com --------------------------------------------------------------------------------