update
This commit is contained in:
parent
f04c14116d
commit
a16316979c
4 changed files with 75 additions and 8 deletions
52
README.md
52
README.md
|
|
@ -47,9 +47,44 @@ server {
|
|||
|
||||
See [examples/example.com.conf](examples/example.com.conf:1) for the full server-level example.
|
||||
|
||||
### Reverse proxy with websocket support
|
||||
### Optional `http {}` features
|
||||
|
||||
Websocket proxying needs one `http {}`-level `map` plus `location {}`-level proxy snippets:
|
||||
These snippets are independent `http {}`-level features:
|
||||
|
||||
```nginx
|
||||
http {
|
||||
include kit/http/gzip.conf;
|
||||
}
|
||||
```
|
||||
|
||||
Use `kit/http/gzip.conf` when you want nginx to compress common text-based responses. It is not specific to proxying or websocket traffic.
|
||||
|
||||
```nginx
|
||||
http {
|
||||
include kit/http/websocket-map.conf;
|
||||
}
|
||||
```
|
||||
|
||||
Use `kit/http/websocket-map.conf` only when a `location {}` will include `kit/proxy_pass/websocket.conf`.
|
||||
|
||||
### Reverse proxy
|
||||
|
||||
Plain HTTP reverse proxying only needs the `location {}`-level proxy snippets:
|
||||
|
||||
```nginx
|
||||
server {
|
||||
# ...
|
||||
location / {
|
||||
include kit/proxy_pass/forwarded.conf;
|
||||
include kit/proxy_pass/timeout-300.conf;
|
||||
proxy_pass http://app_backend;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
### Websocket reverse proxy
|
||||
|
||||
Websocket proxying adds one `http {}`-level dependency plus the websocket location snippet:
|
||||
|
||||
```nginx
|
||||
http {
|
||||
|
|
@ -57,12 +92,6 @@ http {
|
|||
|
||||
server {
|
||||
# ...
|
||||
location / {
|
||||
include kit/proxy_pass/forwarded.conf;
|
||||
include kit/proxy_pass/timeout-300.conf;
|
||||
proxy_pass http://app_backend;
|
||||
}
|
||||
|
||||
location /ws/ {
|
||||
include kit/proxy_pass/forwarded.conf;
|
||||
include kit/proxy_pass/websocket.conf;
|
||||
|
|
@ -101,6 +130,7 @@ server {
|
|||
|
||||
## Snippet reference
|
||||
|
||||
- `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`.
|
||||
- `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`.
|
||||
- `kit/security.conf`: common security headers and host normalization. Intended for `server {}`.
|
||||
- `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`.
|
||||
|
|
@ -124,3 +154,9 @@ The script validates:
|
|||
|
||||
- [examples/example.com.conf](examples/example.com.conf:1) as a server-level snippet.
|
||||
- [examples/reverse-proxy.nginx.conf](examples/reverse-proxy.nginx.conf:1) as a complete nginx config.
|
||||
|
||||
## Notes
|
||||
|
||||
- `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy.
|
||||
- `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically.
|
||||
- Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue