{ pkgs }: let backend = "localhost:9090"; socketio = "0.0.0.0:9000"; frappe_site_name_header = "localhost"; upstream_real_ip_address = "127.0.0.1"; upstream_real_ip_header = "X-Forwarded-For"; upstream_real_ip_recursive = "off"; client_max_body_size = "50m"; proxy_read_timeout = "120"; in pkgs.writeText "erpnext.conf" '' user nginx; worker_processes auto; error_log /tmp/erpnext/logs/nginx/error.log notice; pid /tmp/erpnext/nginx.pid; events { worker_connections 1024; } http { include ${pkgs.nginx}/conf/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /tmp/erpnext/logs/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; upstream backend-server { server ${backend} fail_timeout=0; } upstream socketio-server { server ${socketio} fail_timeout=0; } # Parse the X-Forwarded-Proto header - if set - defaulting to $scheme. map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $scheme; https https; } server { listen 8080; server_name ${frappe_site_name_header}; root /tmp/erpnext/sites; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; add_header X-Frame-Options "SAMEORIGIN"; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "same-origin, strict-origin-when-cross-origin"; set_real_ip_from ${upstream_real_ip_address}; real_ip_header ${upstream_real_ip_header}; real_ip_recursive ${upstream_real_ip_recursive}; location /assets { try_files $uri =404; } location ~ ^/protected/(.*) { internal; try_files /${frappe_site_name_header}/$1 =404; } location /socket.io { proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; proxy_set_header Origin $scheme://${frappe_site_name_header}; proxy_set_header Host $host; proxy_pass http://socketio-server; } location / { rewrite ^(.+)/$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; rewrite ^(.+)/index\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; rewrite ^(.+)\.html$ $proxy_x_forwarded_proto://${frappe_site_name_header}$1 permanent; location ~ ^/files/.*.(htm|html|svg|xml) { add_header Content-disposition "attachment"; try_files /${frappe_site_name_header}/public/$uri @webserver; } try_files /${frappe_site_name_header}/public/$uri @webserver; } location @webserver { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Frappe-Site-Name ${frappe_site_name_header}; proxy_set_header Host $host; proxy_set_header X-Use-X-Accel-Redirect True; proxy_read_timeout ${proxy_read_timeout}; proxy_redirect off; proxy_pass http://backend-server; } # optimizations sendfile on; keepalive_timeout 15; client_max_body_size ${client_max_body_size}; client_body_buffer_size 16K; client_header_buffer_size 1k; # enable gzip compression # based on https://mattstauffer.co/blog/enabling-gzip-on-nginx-servers-including-laravel-forge gzip on; gzip_http_version 1.1; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/font-woff application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; # text/html is always compressed by HttpGzipModule } } ''