2023-05-22 22:50:17 +00:00
|
|
|
{ pkgs }:
|
|
|
|
let
|
2023-05-23 00:05:33 +00:00
|
|
|
backend = "127.0.0.1:9090";
|
|
|
|
socketio = "127.0.0.1:3000";
|
2023-05-22 22:50:17 +00:00
|
|
|
frappe_site_name_header = "localhost";
|
|
|
|
upstream_real_ip_address = "127.0.0.1";
|
|
|
|
upstream_real_ip_header = "X-Forwarded-For";
|
|
|
|
upstream_real_ip_recursive = "off";
|
|
|
|
client_max_body_size = "50m";
|
|
|
|
proxy_read_timeout = "120";
|
|
|
|
in
|
|
|
|
pkgs.writeText "erpnext.conf" ''
|
|
|
|
user nginx;
|
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
error_log /tmp/erpnext/logs/nginx/error.log notice;
|
|
|
|
pid /tmp/erpnext/nginx.pid;
|
|
|
|
|
|
|
|
|
|
|
|
events {
|
|
|
|
worker_connections 1024;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
http {
|
|
|
|
include ${pkgs.nginx}/conf/mime.types;
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
|
|
|
|
access_log /tmp/erpnext/logs/nginx/access.log main;
|
|
|
|
|
|
|
|
sendfile on;
|
|
|
|
#tcp_nopush on;
|
|
|
|
|
|
|
|
keepalive_timeout 65;
|
|
|
|
|
|
|
|
#gzip on;
|
|
|
|
|
|
|
|
upstream backend-server {
|
|
|
|
server ${backend} fail_timeout=0;
|
|
|
|
}
|
|
|
|
|
|
|
|
upstream socketio-server {
|
|
|
|
server ${socketio} fail_timeout=0;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Parse the X-Forwarded-Proto header - if set - defaulting to $scheme.
|
|
|
|
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
|
|
|
|
default $scheme;
|
|
|
|
https https;
|
|
|
|
}
|
|
|
|
|
|
|
|
server {
|
2023-05-30 18:06:34 +00:00
|
|
|
listen 8081;
|
2023-05-22 22:50:17 +00:00
|
|
|
server_name ${frappe_site_name_header};
|
|
|
|
root /tmp/erpnext/sites;
|
|
|
|
|
|
|
|
proxy_buffer_size 128k;
|
|
|
|
proxy_buffers 4 256k;
|
|
|
|
proxy_busy_buffers_size 256k;
|
|
|
|
|
|
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
|
|
add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin";
|
|
|
|
|
|
|
|
set_real_ip_from ${upstream_real_ip_address};
|
|
|
|
real_ip_header ${upstream_real_ip_header};
|
|
|
|
real_ip_recursive ${upstream_real_ip_recursive};
|
|
|
|
|
|
|
|
location /assets {
|
|
|
|
try_files $uri =404;
|
|
|
|
}
|
|
|
|
|
|
|
|
location ~ ^/protected/(.*) {
|
|
|
|
internal;
|
|
|
|
try_files /${frappe_site_name_header}/$1 =404;
|
|
|
|
}
|
|
|
|
|
|
|
|
location /socket.io {
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header};
|
|
|
|
proxy_set_header Origin $scheme://${frappe_site_name_header};
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
|
|
|
proxy_pass http://socketio-server;
|
|
|
|
}
|
|
|
|
|
|
|
|
location / {
|
|
|
|
rewrite ^(.+)/$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent;
|
|
|
|
rewrite ^(.+)/index\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent;
|
|
|
|
rewrite ^(.+)\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent;
|
|
|
|
|
|
|
|
location ~ ^/files/.*.(htm|html|svg|xml) {
|
|
|
|
add_header Content-disposition "attachment";
|
|
|
|
try_files /${frappe_site_name_header}/public/$uri @webserver;
|
|
|
|
}
|
|
|
|
|
|
|
|
try_files /${frappe_site_name_header}/public/$uri @webserver;
|
|
|
|
}
|
|
|
|
|
|
|
|
location @webserver {
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
|
|
|
|
proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header};
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
proxy_set_header X-Use-X-Accel-Redirect True;
|
|
|
|
proxy_read_timeout ${proxy_read_timeout};
|
|
|
|
proxy_redirect off;
|
|
|
|
|
|
|
|
proxy_pass http://backend-server;
|
|
|
|
}
|
|
|
|
|
|
|
|
# optimizations
|
|
|
|
sendfile on;
|
|
|
|
keepalive_timeout 15;
|
|
|
|
client_max_body_size ${client_max_body_size};
|
|
|
|
client_body_buffer_size 16K;
|
|
|
|
client_header_buffer_size 1k;
|
|
|
|
|
|
|
|
# enable gzip compression
|
|
|
|
# based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge
|
|
|
|
gzip on;
|
|
|
|
gzip_http_version 1.1;
|
|
|
|
gzip_comp_level 5;
|
|
|
|
gzip_min_length 256;
|
|
|
|
gzip_proxied any;
|
|
|
|
gzip_vary on;
|
|
|
|
gzip_types
|
|
|
|
application/atom+xml
|
|
|
|
application/javascript
|
|
|
|
application/json
|
|
|
|
application/rss+xml
|
|
|
|
application/vnd.ms-fontobject
|
|
|
|
application/x-font-ttf
|
|
|
|
application/font-woff
|
|
|
|
application/x-web-app-manifest+json
|
|
|
|
application/xhtml+xml
|
|
|
|
application/xml
|
|
|
|
font/opentype
|
|
|
|
image/svg+xml
|
|
|
|
image/x-icon
|
|
|
|
text/css
|
|
|
|
text/plain
|
|
|
|
text/x-component;
|
|
|
|
# text/html is always compressed by HttpGzipModule
|
|
|
|
}
|
|
|
|
}
|
|
|
|
''
|