-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx_production.conf
More file actions
352 lines (306 loc) · 13.8 KB
/
nginx_production.conf
File metadata and controls
352 lines (306 loc) · 13.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
# Nginx configuration for Smart AI Trading Strategy Optimizer
# This file should be copied to C:\nginx-1.28.0\conf\nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
# Hide nginx version from headers and error pages
server_tokens off;
# To completely remove "nginx" from Server header, uncomment the following line
# (requires headers-more-nginx-module to be installed)
# more_clear_headers 'Server';
sendfile on;
keepalive_timeout 65;
# Logging format for better debugging
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log logs/access.log main;
error_log logs/error.log warn;
# Gzip compression for better performance and SEO
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
# HTTP server
# برای فعالسازی HTTPS، بخش HTTPS را uncomment کنید و مسیر گواهینامهها را تنظیم کنید
server {
listen 80;
server_name myaibaz.ir www.myaibaz.ir;
# Custom error pages (without nginx branding)
error_page 403 /403.html;
error_page 404 /404.html;
location = /403.html {
root html;
internal;
}
location = /404.html {
root html;
internal;
}
# افزایش buffer size برای درخواستهای بزرگ
client_max_body_size 100M;
# Robots.txt and Sitemap.xml - serve before redirect (important for SEO)
# Search engines need access to these files even on HTTP
location = /robots.txt {
root html;
try_files $uri /robots.txt;
access_log off;
log_not_found off;
expires 1d;
add_header Cache-Control "public, max-age=86400";
}
location = /sitemap.xml {
root html;
try_files $uri /sitemap.xml;
access_log off;
log_not_found off;
expires 1d;
add_header Cache-Control "public, max-age=86400";
add_header Content-Type "application/xml; charset=utf-8";
}
# Redirect HTTP to HTTPS (except robots.txt and sitemap.xml)
location / {
return 301 https://$server_name$request_uri;
}
# Backend API proxy
location /api/ {
# Use upstream for better error handling
proxy_pass http://127.0.0.1:8000/api/;
# Set Host to localhost so Django accepts the request
# The original host is preserved in X-Forwarded-Host for reference
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Preserve original host for logging/reference
proxy_set_header X-Forwarded-Host $host;
# Error handling - retry on connection errors
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 2;
proxy_next_upstream_timeout 10s;
# CORS headers - Allow requests from any origin (since we're using same-origin via proxy)
# Django CORS middleware will handle the actual CORS validation
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-CSRFToken, X-Requested-With' always;
add_header 'Access-Control-Max-Age' '86400' always;
# Handle preflight OPTIONS requests
# OPTIONS requests should be handled by nginx, not forwarded to backend
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-CSRFToken, X-Requested-With' always;
add_header 'Access-Control-Max-Age' '86400' always;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
# Return 204 immediately without proxying to backend
return 204;
}
# Timeout settings (increased for internet access with higher latency)
# Increased timeouts to handle slower internet connections
proxy_connect_timeout 60s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
# Buffer settings
proxy_buffering off;
proxy_request_buffering off;
# Block API endpoints from search engines
add_header X-Robots-Tag "noindex, nofollow" always;
# Error pages
proxy_intercept_errors off;
# Logging for debugging
access_log logs/api_access.log;
error_log logs/api_error.log warn;
}
# Frontend admin routes - must come before Django admin block
# These routes are handled by React Router, not Django admin
location ~ ^/admin/(users|security|settings) {
root html;
index index.html;
try_files $uri $uri/ /index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
# Django admin panel - only accessible from localhost
# This matches /admin/ but not /admin/users, /admin/security, /admin/settings
location /admin/ {
# Restrict to localhost only
allow 127.0.0.1;
allow ::1;
deny all;
proxy_pass http://127.0.0.1:8000/admin/;
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Block admin panel from search engines
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Static files (Django static files)
location /static/ {
proxy_pass http://127.0.0.1:8000/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Media files (user uploads)
location /media/ {
proxy_pass http://127.0.0.1:8000/media/;
expires 30d;
add_header Cache-Control "public";
}
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
# HTTPS server - فعال شده با Cloudflare Origin Certificate
server {
listen 443 ssl;
http2 on;
server_name myaibaz.ir www.myaibaz.ir;
# SSL certificate paths - Cloudflare Origin Certificate
ssl_certificate C:/nginx-1.28.0/conf/ssl/myaibaz.ir.crt;
ssl_certificate_key C:/nginx-1.28.0/conf/ssl/myaibaz.ir.key;
#
# SSL configuration for security
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Custom error pages (without nginx branding)
error_page 403 /403.html;
error_page 404 /404.html;
location = /403.html {
root html;
internal;
}
location = /404.html {
root html;
internal;
}
# افزایش buffer size برای درخواستهای بزرگ
client_max_body_size 100M;
# Security headers for SEO and security
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Robots.txt and Sitemap.xml
location = /robots.txt {
root html;
try_files $uri /robots.txt;
access_log off;
log_not_found off;
expires 1d;
add_header Cache-Control "public, max-age=86400";
}
location = /sitemap.xml {
root html;
try_files $uri /sitemap.xml;
access_log off;
log_not_found off;
expires 1d;
add_header Cache-Control "public, max-age=86400";
add_header Content-Type "application/xml; charset=utf-8";
}
# Frontend - React App
location / {
root html;
index index.html;
try_files $uri $uri/ /index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header X-Robots-Tag "index, follow" always;
}
# Backend API proxy
location /api/ {
proxy_pass http://127.0.0.1:8000/api/;
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
proxy_next_upstream_tries 2;
proxy_next_upstream_timeout 10s;
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-CSRFToken, X-Requested-With' always;
add_header 'Access-Control-Max-Age' '86400' always;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-CSRFToken, X-Requested-With' always;
add_header 'Access-Control-Max-Age' '86400' always;
add_header 'Content-Type' 'text/plain charset=UTF-8';
add_header 'Content-Length' 0;
return 204;
}
proxy_connect_timeout 60s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_buffering off;
proxy_request_buffering off;
add_header X-Robots-Tag "noindex, nofollow" always;
proxy_intercept_errors off;
access_log logs/api_access.log;
error_log logs/api_error.log warn;
}
# Frontend admin routes - must come before Django admin block
# These routes are handled by React Router, not Django admin
location ~ ^/admin/(users|security|settings) {
root html;
index index.html;
try_files $uri $uri/ /index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
# Django admin panel - only accessible from localhost
# This matches /admin/ but not /admin/users, /admin/security, /admin/settings
location /admin/ {
# Restrict to localhost only
allow 127.0.0.1;
allow ::1;
deny all;
proxy_pass http://127.0.0.1:8000/admin/;
proxy_set_header Host localhost;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Static files
location /static/ {
proxy_pass http://127.0.0.1:8000/static/;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Media files
location /media/ {
proxy_pass http://127.0.0.1:8000/media/;
expires 30d;
add_header Cache-Control "public";
}
# Health check endpoint
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
}
}