Merge pull request #5 from spreedly/update-nginx-config-and-procfile-…

…command updated config, rm unneeded items, updated command for start-nginx
spreedly · Jan 19, 2024 · d7806f2 · d7806f2
2 parents 7701d97 + e185da8
commit d7806f2
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 16 deletions.
diff --git a/Procfile b/Procfile
@@ -1 +1 @@
-web: bin/start_nginx
+web: bin/start-nginx-static
diff --git a/config/nginx.conf.erb b/config/nginx.conf.erb
@@ -1,43 +1,70 @@
-worker_processes  4;
+# much of this config from heroku-community/nginx repo
+
 daemon off;
+# Heroku dynos have at least 4 cores.
+
+worker_processes <%= ENV['NGINX_WORKERS'] || 4 %>;
+# Heroku dynos have at least 4 cores.
+
+pid /app/nginx.pid;
+# /app is $HOME & working directory of Heroku dyno
+
+error_log stderr info;
+# As documented for Nginx, but we still see error during start-up in log:
+# >  nginx: [alert] could not open error log file: open() "./logs/error.log"
 
 events {
-  worker_connections  1024;
+	use epoll;
+	accept_mutex on;
+	worker_connections <%= ENV['NGINX_WORKER_CONNECTIONS'] || 1024 %>;
 }
 
 http {
+	gzip on;
+	gzip_comp_level 2;
+	gzip_min_length 512;
+	gzip_proxied any; # Heroku router sends Via header
+
+  server_tokens      off;
+
+  log_format l2met 'measure#nginx.service=$request_time request_id=$http_x_request_id';
+	access_log /dev/stdout l2met;
+	# Remote IP, request path, HTTP status, & timestamp are all logged by Heroku Router, so not useful to include here.
 
   include            mime.types;
   default_type       application/octet-stream;
-
   sendfile           on;
-  keepalive_timeout  65;
 
-  port_in_redirect   off;
+	client_body_timeout <%= ENV['NGINX_CLIENT_BODY_TIMEOUT'] || 65 %>;
+	# Must read the body in 65 seconds.
 
-  # These are piped to STDOUT by the start_nginx script (created by the buildpack)
-  error_log          logs/error.log;
-  access_log         logs/access.log;
-  server_tokens      off;
+  port_in_redirect   off;
 
   server {
 
     listen           <%= ENV['PORT'] %>;
     server_name      <%= ENV['HOST'] || 'localhost' %>;
+    keepalive_timeout 25;
 
-    index            index.html;
-
-    gzip_static      on;
-    gzip_proxied     any;
-    gzip_disable     "msie6";
+    ## HTTPS Only
+		if ($http_x_forwarded_proto != "https") {
+			return 301 https://$host$request_uri;
+		}
 
     add_header       Vary Accept-Encoding;
     add_header       Cache-Control public;
 
+    # Block certain file access
+    # Ideas from this post https://serverfault.com/a/1069003
+    location ~\.(md|git|txt|json|log)|(Procfile|README|LICENSE)+.*?$ {
+      deny all;
+      return 404;
+    }
+
     # Generated site at "public" root dir
     location / {
       root           /app/;
-      autoindex      off;
+      limit_except GET HEAD POST { deny all; }
       # expires        <%= ENV['DEFAULT_TTL'] || 3600 %>s;
       expires max;
       try_files      $uri $uri/ $uri.html index.html;