UNPKG

@idealyst/cli

Version:

CLI tool for generating Idealyst Framework projects

IdealystIO/idealyst-framework

239 lines (206 loc) 8.42 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
events { worker_connections 2048; use epoll; multi_accept on; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # Logging log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '$request_time $upstream_response_time'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; # Performance settings sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; keepalive_requests 100; types_hash_max_size 2048; server_tokens off; client_max_body_size 50M; client_body_buffer_size 128k; client_header_buffer_size 3m; large_client_header_buffers 4 256k; # SSL Configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_comp_level 6; gzip_proxied any; gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/xhtml+xml application/xml font/eot font/otf font/ttf image/svg+xml text/css text/javascript text/plain text/xml; # Rate limiting zones limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=web:10m rate=50r/s; limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; # Connection limiting limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; limit_conn conn_limit_per_ip 20; # Upstream servers with load balancing upstream api_backend { least_conn; server {{PROJECT_NAME}}-api-1:3000 max_fails=3 fail_timeout=30s weight=1; server {{PROJECT_NAME}}-api-2:3000 max_fails=3 fail_timeout=30s weight=1; keepalive 32; } upstream web_backend { least_conn; server {{PROJECT_NAME}}-web-1:80 max_fails=3 fail_timeout=30s weight=1; server {{PROJECT_NAME}}-web-2:80 max_fails=3 fail_timeout=30s weight=1; keepalive 32; } # Cache zones proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=api_cache:10m max_size=1g inactive=60m use_temp_path=off; proxy_cache_path /var/cache/nginx/static levels=1:2 keys_zone=static_cache:10m max_size=1g inactive=24h use_temp_path=off; # Redirect HTTP to HTTPS server { listen 80; server_name {{DOMAIN_NAME}}; return 301 https://$server_name$request_uri; } # Main HTTPS server server { listen 443 ssl http2; server_name {{DOMAIN_NAME}}; # SSL certificates ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self' wss:; frame-ancestors 'self';" always; # API routes location /api/ { limit_req zone=api burst=20 nodelay; # Caching for GET requests proxy_cache api_cache; proxy_cache_valid 200 302 10m; proxy_cache_valid 404 1m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; proxy_cache_bypass $http_cache_control; proxy_pass http://api_backend/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } # Health checks location /api/health { proxy_pass http://api_backend/health; access_log off; proxy_cache off; } # Authentication endpoints (stricter rate limiting) location ~ ^/api/(auth|login|register|password) { limit_req zone=login burst=5 nodelay; proxy_pass http://api_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache off; } # Static assets with aggressive caching location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|webp|woff|woff2|ttf|eot|pdf)$ { limit_req zone=web burst=100 nodelay; proxy_cache static_cache; proxy_cache_valid 200 1y; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_pass http://web_backend; expires 1y; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options "nosniff"; # CORS headers for fonts and assets add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, OPTIONS"; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range"; } # Web application with caching location / { limit_req zone=web burst=50 nodelay; # Short cache for HTML files proxy_cache static_cache; proxy_cache_valid 200 10m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_bypass $http_cache_control; proxy_pass http://web_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; # Handle client-side routing try_files $uri $uri/ @fallback; } # Fallback for client-side routing location @fallback { proxy_pass http://web_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache off; } # Monitoring endpoint location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; } # Health check endpoint location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } } }