From 54192a9b6f8ee68114e3bc9ebf241099456e85f6 Mon Sep 17 00:00:00 2001
From: Dan Hunsaker <danhunsaker@gmail.com>
Date: Fri, 14 Jun 2019 06:52:32 -0600
Subject: Resync Nanobox files with the 2.9.0 release (#11083)

---
 nanobox/nginx-local.conf      | 20 +++++++++++++++++---
 nanobox/nginx-stream.conf.erb | 17 +++++++++++++----
 nanobox/nginx-web.conf.erb    | 22 +++++++++++++++++-----
 3 files changed, 47 insertions(+), 12 deletions(-)

(limited to 'nanobox')

diff --git a/nanobox/nginx-local.conf b/nanobox/nginx-local.conf
index c0e883603..37c8a451a 100644
--- a/nanobox/nginx-local.conf
+++ b/nanobox/nginx-local.conf
@@ -10,10 +10,13 @@ http {
     sendfile on;
 
     gzip on;
-    gzip_http_version 1.0;
+    gzip_disable "MSIE [1-6]\.";
+    gzip_vary on;
     gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
     gzip_min_length 500;
-    gzip_disable "MSIE [1-6]\.";
+    gzip_http_version 1.1;
     gzip_types text/plain text/xml text/javascript text/css text/comma-separated-values application/xml+rss application/xml application/x-javascript application/json application/javascript application/atom+xml;
 
     # Proxy upstream to the puma process
@@ -36,9 +39,12 @@ http {
         # Listen on port 8080
         listen 8080;
 
+        keepalive_timeout    70;
+        client_max_body_size 80M;
+
         root /app/public;
 
-        client_max_body_size 80M;
+        add_header Strict-Transport-Security "max-age=31536000";
 
         location / {
             try_files $uri @rails;
@@ -47,6 +53,10 @@ http {
         # Proxy connections to rails
         location @rails {
             proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Proxy "";
             proxy_pass_header Server;
 
             proxy_pass http://rails;
@@ -62,6 +72,10 @@ http {
         # Proxy connections to node
         location /api/v1/streaming {
             proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Proxy "";
 
             proxy_pass http://node;
             proxy_buffering off;
diff --git a/nanobox/nginx-stream.conf.erb b/nanobox/nginx-stream.conf.erb
index 12bcc8ca5..4ea6e30fc 100644
--- a/nanobox/nginx-stream.conf.erb
+++ b/nanobox/nginx-stream.conf.erb
@@ -10,10 +10,13 @@ http {
     sendfile on;
 
     gzip on;
-    gzip_http_version 1.1;
+    gzip_disable "MSIE [1-6]\.";
+    gzip_vary on;
     gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
     gzip_min_length 500;
-    gzip_disable "MSIE [1-6]\.";
+    gzip_http_version 1.1;
     gzip_types text/plain text/xml text/javascript text/css text/comma-separated-values application/xml+rss application/xml application/x-javascript application/json application/javascript application/atom+xml;
 
     # Proxy upstream to the node process
@@ -31,11 +34,13 @@ http {
         # Listen on port 8080
         listen 8080;
 
-        add_header Strict-Transport-Security "max-age=31536000";
-        # add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://<%= ENV["LOCAL_DOMAIN"] %>; upgrade-insecure-requests";
+        keepalive_timeout    70;
+        client_max_body_size 80M;
 
         root /app/public;
 
+        add_header Strict-Transport-Security "max-age=31536000";
+
         location / {
             try_files $uri @node;
         }
@@ -43,6 +48,10 @@ http {
         # Proxy connections to node
         location @node {
             proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Proxy "";
 
             proxy_pass http://node;
             proxy_buffering off;
diff --git a/nanobox/nginx-web.conf.erb b/nanobox/nginx-web.conf.erb
index d96f1bfc7..182d99209 100644
--- a/nanobox/nginx-web.conf.erb
+++ b/nanobox/nginx-web.conf.erb
@@ -10,10 +10,13 @@ http {
     sendfile on;
 
     gzip on;
-    gzip_http_version 1.0;
+    gzip_disable "MSIE [1-6]\.";
+    gzip_vary on;
     gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_buffers 16 8k;
     gzip_min_length 500;
-    gzip_disable "MSIE [1-6]\.";
+    gzip_http_version 1.1;
     gzip_types text/plain text/xml text/javascript text/css text/comma-separated-values application/xml+rss application/xml application/x-javascript application/json application/javascript application/atom+xml;
 
     # Proxy upstream to the puma process
@@ -31,12 +34,12 @@ http {
         # Listen on port 8080
         listen 8080;
 
-        add_header Strict-Transport-Security "max-age=31536000";
-        # add_header Content-Security-Policy "style-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'; img-src data: https:; media-src data: https:; connect-src 'self' wss://<%= ENV["LOCAL_DOMAIN"] %>; upgrade-insecure-requests";
+        keepalive_timeout    70;
+        client_max_body_size 80M;
 
         root /app/public;
 
-        client_max_body_size 80M;
+        add_header Strict-Transport-Security "max-age=31536000";
 
         location / {
             try_files $uri @rails;
@@ -44,17 +47,23 @@ http {
 
         location /sw.js {
             add_header Cache-Control "public, max-age=0";
+            add_header Strict-Transport-Security "max-age=31536000";
             try_files $uri @rails;
         }
 
         location ~ ^/(emoji|packs|system/media_attachments/files|system/accounts/avatars) {
             add_header Cache-Control "public, max-age=31536000, immutable";
+            add_header Strict-Transport-Security "max-age=31536000";
             try_files $uri @rails;
         }
 
         # Proxy connections to rails
         location @rails {
             proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto https;
+            proxy_set_header Proxy "";
             proxy_pass_header Server;
 
             proxy_pass http://rails;
@@ -66,7 +75,10 @@ http {
 
             proxy_cache CACHE;
             proxy_cache_valid 200 7d;
+            proxy_cache_valid 410 24h;
             proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+            add_header Strict-Transport-Security "max-age=31536000";
+            add_header X-Cached $upstream_cache_status;
 
             tcp_nodelay on;
         }
-- 
cgit