impress/deploy/files/sites-available/impress.conf
Emi Matchu e9b0fa0779 Future-proof our nginx config for IPv6
Today I learned that nginx requires a special invocation to listen to
IPv6 addresses as well as IPv4. On some of my other projects, this was
causing Let's Encrypt certificate renewal to fail, because Let's
Encrypt prefers to connect over IPv6 when an AAAA record is present, so
its challenges were always returning 404, because nginx wasn't
listening on IPv6.

This shouldn't be affecting impress in production, because we don't
have an AAAA record right now. But I'm just making this change in all
my projects, to make sure this doesn't bite me in the future!
2024-02-13 08:52:45 -08:00

46 lines
No EOL
1.4 KiB
Text

server {
server_name {{ impress_hostname }};
listen 80;
listen [::]:80;
if ($host = {{ impress_hostname }}) {
return 301 https://$host$request_uri;
}
}
server {
server_name {{ impress_hostname }};
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ impress_hostname }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ impress_hostname }}/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127
root /srv/impress/current/public;
# Serve assets using their precompressed *.gz versions.
# The filenames contain content hashes, so they should be safe to
# cache forever.
# https://stackoverflow.com/a/6952804/107415
location ~ ^/assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
add_header Last-Modified "";
add_header ETag "";
}
# Try serving static files first. If not found, fall back to the app.
try_files $uri/index.html $uri @app;
location @app {
proxy_pass http://127.0.0.1:3000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header Host $http_host;
proxy_redirect off;
}
}