diff --git a/README.md b/README.md index 5c7d3fb..e81ed89 100644 --- a/README.md +++ b/README.md @@ -47,9 +47,44 @@ server { See [examples/example.com.conf](examples/example.com.conf:1) for the full server-level example. -### Reverse proxy with websocket support +### Optional `http {}` features -Websocket proxying needs one `http {}`-level `map` plus `location {}`-level proxy snippets: +These snippets are independent `http {}`-level features: + +```nginx +http { + include kit/http/gzip.conf; +} +``` + +Use `kit/http/gzip.conf` when you want nginx to compress common text-based responses. It is not specific to proxying or websocket traffic. + +```nginx +http { + include kit/http/websocket-map.conf; +} +``` + +Use `kit/http/websocket-map.conf` only when a `location {}` will include `kit/proxy_pass/websocket.conf`. + +### Reverse proxy + +Plain HTTP reverse proxying only needs the `location {}`-level proxy snippets: + +```nginx +server { + # ... + location / { + include kit/proxy_pass/forwarded.conf; + include kit/proxy_pass/timeout-300.conf; + proxy_pass http://app_backend; + } +} +``` + +### Websocket reverse proxy + +Websocket proxying adds one `http {}`-level dependency plus the websocket location snippet: ```nginx http { @@ -57,12 +92,6 @@ http { server { # ... - location / { - include kit/proxy_pass/forwarded.conf; - include kit/proxy_pass/timeout-300.conf; - proxy_pass http://app_backend; - } - location /ws/ { include kit/proxy_pass/forwarded.conf; include kit/proxy_pass/websocket.conf; @@ -101,6 +130,7 @@ server { ## Snippet reference +- `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`. - `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`. - `kit/security.conf`: common security headers and host normalization. Intended for `server {}`. - `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`. @@ -124,3 +154,9 @@ The script validates: - [examples/example.com.conf](examples/example.com.conf:1) as a server-level snippet. - [examples/reverse-proxy.nginx.conf](examples/reverse-proxy.nginx.conf:1) as a complete nginx config. + +## Notes + +- `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy. +- `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically. +- Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages. diff --git a/examples/reverse-proxy.nginx.conf b/examples/reverse-proxy.nginx.conf index 0c3271e..a80d20c 100644 --- a/examples/reverse-proxy.nginx.conf +++ b/examples/reverse-proxy.nginx.conf @@ -4,6 +4,7 @@ http { include /etc/nginx/mime.types; default_type application/octet-stream; + include kit/http/gzip.conf; include kit/http/websocket-map.conf; upstream app_backend { diff --git a/http/gzip.conf b/http/gzip.conf new file mode 100644 index 0000000..fd5b378 --- /dev/null +++ b/http/gzip.conf @@ -0,0 +1,29 @@ +# Enable gzip for common text-based responses. +gzip on; +gzip_vary on; +gzip_comp_level 4; +gzip_min_length 256; + +# This does not remove ETag or Last-Modified headers; it only controls when +# nginx may gzip requests that already passed through an intermediary proxy. +gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; + +gzip_types + application/atom+xml + application/javascript + application/json + application/ld+json + application/manifest+json + application/rss+xml + application/vnd.geo+json + application/vnd.ms-fontobject + application/wasm + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + image/svg+xml + text/css + text/javascript + text/plain + text/xml + text/vtt; diff --git a/scripts/validate-docker.ps1 b/scripts/validate-docker.ps1 index 49772bc..2b11e8d 100644 --- a/scripts/validate-docker.ps1 +++ b/scripts/validate-docker.ps1 @@ -13,6 +13,7 @@ $serverSnippetConfig = @( " include /etc/nginx/mime.types;" " default_type application/octet-stream;" "" + " include /etc/nginx/kit/http/gzip.conf;" " include /etc/nginx/kit/http/websocket-map.conf;" "" " include /etc/nginx/kit/examples/example.com.conf;"