nginx.conf

##
# Note that this file actually winds up at
#    /etc/nginx/conf.d/nginx.conf
# , and is loaded by /etc/nginx/nginx.conf in an http{} block
##

##
# Logging Settings
# The http_x_* headers are set by the gen3 reverse proxy:
#    kube/services/revproxy/
##
log_format json '{"gen3log": "nginx", '
        '"date_access": "$time_iso8601", '
        '"user_id": "$http_x_userid", '
        '"request_id": "$http_x_reqid", '
        '"session_id": "$http_x_sessionid", '
        '"visitor_id": "$http_x_visitorid", '
        '"network_client_ip": "$http_x_forwarded_for", '
        '"network_bytes_write": $body_bytes_sent, '
        '"http_response_time": "$request_time", '
        '"http_status_code": $status, '
        '"http_request": "$request_uri", '
        '"http_verb": "$request_method", '
        '"http_referer": "$http_referer", '
        '"http_useragent": "$http_user_agent", '
        '"message": "$request"}';

log_format aws   '$http_x_forwarded_for - $http_x_userid [$time_local] '
            '"$request" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent"';

access_log /dev/stdout json;

server {
    # TODO - drop port 80 and 443, so we can run as non-root
    listen 80 default_server;
    listen 8080 default_server;
    listen 443 default_server ssl;
    ssl_certificate /mnt/ssl/nginx.crt;
    ssl_certificate_key /mnt/ssl/nginx.key;
    server_tokens off;

    root /usr/share/nginx/html/;
    index index.html index.htm;

    # dev.html signals dev mode - for developer testing
    rewrite ^(\/\w+)?\/dev.html.+$ $1/dev.html;

    # Block all access to things like .git or .htaccess
    location ~ /\. {
      deny all;
    }

    # Block all access to package and config files
    # Note if WAF is deployed this should already be handled by WAF
    location ^~ /package.json {
        deny all;
    }
    location ^~ /package-lock.json {
        deny all;
    }
    location ^~ /npm-debug.log {
        deny all;
    }
    location ^~ /tsconfig.json {
        deny all;
    }
    location ^~ /webpack.config.js {
        deny all;
    }
    location ^~ /yarn.lock {
        deny all;
    }
    location ^~ /nginx.conf {
        deny all;
    }

    location ~* \.(?:manifest|appcache|html?|xml|json)$ {
      expires -1;
      # access_log logs/static.log; # I don't usually include a static log
    }

    location ~* \.(?:css|js)$ {
      try_files $uri =404;
      expires 1y;
      access_log off;
      add_header Cache-Control "public";
    }

    # Any route containing a file extension (e.g. /devicesfile.js)
    location ~ ^.+\.[^/]+$ {
      try_files $uri =404;
    }

    # Any route that doesn't have a file extension (e.g. /devices)
    location / {
        try_files $uri /index.html;
    }
}