Merge pull request #1 from SamWanekeya/develop

Develop

Author: SamWanekeya

.env.example

@@ -0,0 +1,2 @@
+#Node environment
+REACT_APP_NODE_ENV="production"

README.md

@@ -2,6 +2,7 @@
 
 ### Running the project
 1. Run `git clone https://github.com/SamWanekeya/dockerizing-react-js-with-nginx-and-self-signed-ssl-certificate.git .`
+2. Be sure to replace `samwanekeya.com` domain with your own domain
 4. Run `sh frontend_deploy.sh` from the project root folder to build the images and run the containers
 5. Run `sh frontend_destroy.sh` from the project root folder to destroy the running containers
 6. Test it out at [https://localhost](https://localhost). No mounted folders. To apply changes, the image must be re-built.

docker/Dockerfile

@@ -14,12 +14,12 @@ RUN yarn install --silent --non-interactive --frozen-lockfile --ignore-optional
 COPY . .
 RUN PUBLIC_URL=/ yarn run build
 
-FROM nginx:1.17.9-alpine as app
+FROM nginx:1.18.0-alpine as app
 
 # Add bash
 RUN apk add --no-cache bash
 
-FROM debian:10.3-slim
+FROM debian:10.4-slim
 
 RUN apt-get update \
     && apt-get install -y nginx openssl \

docker/nginx.conf

@@ -2,25 +2,45 @@
 
 # This value auto allows binding worker processes automatically to available CPU
 worker_processes auto;
-#worker_cpu_affinity auto;
+# Allows binding worker processes automatically to available CPUs
+worker_cpu_affinity auto;
+# The number of simultaneous connections is limited by the number of file descriptors available on the system as each socket will open a file descriptor. If NGINX tries to open more sockets than the available file descriptors, it will lead to the Too many opened files message in the error.log.
+worker_rlimit_nofile 65535;
 
 # logging
+error_log  /var/log/nginx/error.log;
 error_log /var/log/nginx/error.log warn;
+error_log  /var/log/nginx/error.log  notice;
+error_log  /var/log/nginx/error.log  info;
 
 pid        /var/run/nginx.pid;
 
 
 events {
-    multi_accept on;
+    # The maximum number of connections that each worker process can handle simultaneously. The default is 512, but most systems have enough resources to support a larger number. The appropriate setting depends on the size of the server and the nature of the traffic, and can be discovered through testing.
     worker_connections 65535;
+    # This directive allows a worker to accept many connections in the queue at a time. A queue in this context simply means a sequence of data objects waiting to be processed.
+    multi_accept        on;
+    # With this directive worker processes will accept new connections by turn. Otherwise, all worker processes will be notified about new connections, and if volume of new connections is low, some of the worker processes may just waste system resources.
+    accept_mutex        on;
+    # This directive determines how long a worker should wait before accepting a new connection. Once the accept_mutex is turned on, a mutex lock is assigned to a worker for a timeframe specified by the accept_mutex_delay . When the timeframe is up, the next worker in line is ready to accept new connections.
+    accept_mutex_delay  200ms;
+    # This directive specifies the method to process a connection from the client. We decided to set the value to epoll because we are working on a Ubuntu platform. The epoll method is the most effective processing method for Linux platforms.
+    use                 epoll;
+    # This specifies the number of events that NGINX will pass to the kernel.
+    epoll_events        1024;
 }
 
 http {
+    # To support larger number of server names that are defined
+    server_names_hash_bucket_size  64;
+    # Sets the bucket size for the server names hash tables. The default value depends on the size of the processor’s cache line.
+    server_names_hash_max_size 512;
     # redirect all http traffic to https
     server {
         listen 80 default_server;
         listen [::]:80 default_server ipv6only=on;
-        server_name _;
+        server_name samwanekeya.com;
         root /usr/share/nginx/html;
         index index.html index.htm index.nginx-debian.html;
         return 301 https://$host$request_uri;
@@ -29,35 +49,42 @@ http {
     server {
         listen 443 ssl;
         listen [::]:443 ssl ipv6only=on;
-        server_name _;
+        server_name samwanekeya.com;
         # MIME
         include /etc/nginx/mime.types;
         default_type application/octet-stream;
-        # Display nginx Version number in error or http header may result in hacker to search for known vulnerability.
-        # Therefore, the version number should be removed for every http response.
+        # Display nginx Version number in error or http header may result in hacker to search for known vulnerability. Therefore, the version number should be removed for every http response.
         server_tokens "off";
-        charset utf-8;
-        sendfile on;
-        tcp_nopush on;
+        #charset utf-8;
+        # This directive, by default, is disabled to allow small packets to wait for a specified period before they are sent at once. To allow all data to be sent at once, this directive is enabled.
         tcp_nodelay on;
-        #Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the 408 (Request Time-out) error is returned to the client.
+        #  Because we have enabled tcp_nodelay directive, small packets are sent at once. However, if you still want to make use of John Nagle’s buffering algorithm, we can also enable the tcp_nopush to add packets to each other and send them all at once.
+        tcp_nopush on;
+        # Defines a timeout for reading client request body. The timeout is set only for a period between two successive read operations, not for the transmission of the whole request body. If a client does not transmit anything within this time, the 408 (Request Time-out) error is returned to the client.
         client_body_timeout 12;
-        #Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the 408 (Request Time-out) error is returned to the client.
+        # Defines a timeout for reading client request header. If a client does not transmit the entire header within this time, the 408 (Request Time-out) error is returned to the client.
         client_header_timeout 12;
-        #The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. MSIE closes keep-alive connections by itself in about 60 seconds.
-        keepalive_timeout 15;
-        #Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
-        send_timeout 10;
-        #Size Limits & Buffer Overflows
-        client_body_buffer_size 10K;
+        # This directive sets the buffer size for the request body. If you plan to run the webserver on 64-bit systems, you need to set the value to 16k. If you want to run the webserver on the 32-bit system, set the value to 8k.
+        client_body_buffer_size 16K;
+        # Similar to the previous directive, only instead it handles the client header size. For all intents and purposes, 1K is usually a decent size for this directive not unless you're sending mayopic stuff via header i.e permissions.
         client_header_buffer_size 1k;
+        # The maximum number and size of buffers for large client headers.
         large_client_header_buffers 2 1k;
-        types_hash_max_size 2048;
-        client_max_body_size 16M;
-
+        # The maximum allowed size for a client request. If the maximum size is exceeded, then Nginx will spit out a 413 error or Request Entity Too Large.
+        client_max_body_size 64M;
+        # Defines the maximum size of an entry in the MIME types hash tables.
+        types_hash_max_size 4096;
+        # The first parameter sets a timeout during which a keep-alive client connection will stay open on the server side. The zero value disables keep-alive client connections. The optional second parameter sets a value in the “Keep-Alive: timeout=time” response header field. Two parameters may differ. The “Keep-Alive: timeout=time” header field is recognized by Mozilla and Konqueror. The default is 75 seconds.
+        keepalive_timeout 120s;
+        # Configure a number of requests to keep alive for a specific period of time.  You can set the number of requests to 20 or 30.
+        keepalive_requests 120;
+        # if you want to disable keepalive connection for a specific group of browsers, use this directive.
+        #keepalive_disable;
+        #Sets a timeout for transmitting a response to the client. The timeout is set only between two successive write operations, not for the transmission of the whole response. If the client does not receive anything within this time, the connection is closed.
+        send_timeout 75s;
+        # TLS certificate and key
         ssl_certificate           /etc/ssl/certs/nginx-selfsigned.crt;
         ssl_certificate_key       /etc/ssl/private/nginx-selfsigned.key;
-
         # enable session resumption to improve https performance
         # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
         ssl_session_cache shared:SSL:10m;
@@ -66,7 +93,6 @@ http {
         # generated using:# openssl dhparam -dsaparam -out /etc/ssl/dh4096.pem 4096
         ssl_ecdh_curve secp384r1;
         ssl_session_tickets off;
-
         # enables server-side protection from BEAST attacks
         # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
         ssl_prefer_server_ciphers on;
@@ -76,7 +102,6 @@ http {
         # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
         # Disabled insecure ciphers suite. For example, MD5, DES, RC4, PSK
         ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@STRENGTH";
-
         # -!MEDIUM：exclude encryption cipher suites using 128 bit encryption.
         # -!LOW：   exclude encryption cipher suites using 64 or 56 bit encryption algorithms
         # -!EXPORT： exclude export encryption algorithms including 40 and 56 bits algorithms.
@@ -85,7 +110,6 @@ http {
         # -!eNULL：exclude the "NULL" ciphers that is those offering no encryption.
         # Because these offer no encryption at all and are a security risk they are disabled unless explicitly included.
         # @STRENGTH：sort the current cipher list in order of encryption algorithm key length.
-
         # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
         # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
         #Cloudflare resolver 1dot1dot1dot1.cloudflare-dns.com

docker/nginxconfig/general.conf

@@ -2,24 +2,47 @@
 location = /public/favicon.ico {
 	log_not_found off;
 	access_log off;
+	error_log off;
 }
 
-# assets, media, allow safe files
+# Disable directory listing
+location / {
+	autoindex  off;
+}
+
+# assets, media, and Static File Caching while allowing safe files
 location ~* \.(?:css(\.map)?|js(\.map)?|ttf|ttc|otf|eot|woff2?|svgz?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv|pdf|docx?|dotx?|docm|dotm|xlsx?|xltx?|xlsm|xltm|pptx?|potx?|pptm|potm|ppsx?)$ {
 	add_header Access-Control-Allow-Origin "*";
 	add_header Cache-Control "public";
-	expires 30d;
-	access_log off;
+	expires 365d;
+	# Nginx logs every request that hits the server to a log file. If you use analytics to monitor this, you may want to turn this functionality off. Simply edit the access_log directive:
+	access_log on;
 }
 
 # deny access to .htaccess files
 location ~ /\.ht {
 	deny  all;
+	error_log off;
+	log_not_found off;
 }
 
 # Deny access to hidden files (beginning with a period)
 location ~ /\. {
 	deny all;
+	error_log off;
+	log_not_found off;
+}
+
+
+location /video/ {
+	# To utilize operating system resources, set the value of this directive to on. sendfile transfers data between file descriptors within the OS kernel space without sending it to the application buffers. This directive will be used to serve small files.
+	sendfile       on;
+	# This directive enables multi-threading when set to on for write and read operation. Multi-threading is an execution model that allows multiple threads to execute separately from each other whilst sharing their hosting process resources.
+	aio            threads;
+	# This directive improves cache effectiveness by allowing read and write to be sent directly to the application.  directio is a filesystem feature of every modern operating system. This directive will be used to serve larger files like videos.
+	directio       8m;
+	# This directive assigns a block size value to the data transfer. It related to the directio  directive.
+	directio_alignment 1024;
 }
 
 # define error pages
@@ -46,4 +69,31 @@ if ($request_method !~ ^(GET|PUT|POST)$ ) {
 if ($host !~ ^(samwanekeya.com|localhost)$ ) {
 	return 444;
 }
-##
+
+#Gzip can help reduce the amount of network transfer Nginx deals with. However, be careful increasing the gzip_comp_level too high as the server will begin wasting cpu cycles.
+#For those using Cloudflare as their CDN this is already taken care of - https://support.cloudflare.com/hc/en-us/articles/200168086-Does-Cloudflare-compress-resources-
+
+#If you want to enable compression, set the value of this directive to on. By default, it is disabled.
+#gzip             on;
+# You can make use of this directive to set the compression level. In order not to waste CPU resources, you need not set the compression level too high. Between 1 and 9, you can set the compression level to 2 or 3.
+#gzip_comp_level  2;
+# Set the minimum response length for compression via the content-length response header field. You can set it to more than 20 bytes.
+#gzip_min_length  1000;
+#gzip_proxied     expired no-cache no-store private auth;
+# This directive allows you to choose the response type you want to compress. By default, the response type text/html is always compressed. You can add other response type such as text/plain application/x-javascript text/xml as shown in the code above.
+#gzip_types       text/plain application/x-javascript text/xml text/css application/xml;
+# This directive allows you to choose the minimum HTTP version of a request for a compressed response. You can make use of the default value which is 1.1.
+#gzip_http_version 1.1;
+# When gzip directive is enabled, this directive add the header field Vary:Accept Encoding  to the response.
+#gzip_vary  on;
+# Some browsers such as Internet Explorer 6 do not have support for gzip compression. This directive make use of User-Agent request header field to disable compression for certain browsers.
+#gzip_disable "MSIE [4-6] \.";
+
+# This directive is disabled by default. Enable it if you want implement caching in Nginx. This directive stores metadata of files and directories commonly requested by users.
+open_file_cache max=1000 inactive=30s;
+# This directive contains backup information inside the open_file_cache directive. You can use this directive to set a valid period usually in seconds after which the information related to files and directories is re-validated again.
+open_file_cache_valid 30s;
+# Nginx usually clear information inside the open_file_cache directive after a period of inactivity based on the open_file_cache_min_uses. You can use this directive to set a minimum number of access to identify which files and directories are actively accessed.
+open_file_cache_min_uses 4;
+# You can make use of this directive to allow Nginx to cache errors  such as “permission denied” or “can’t access this file” when files are accessed. So anytime a resource is accessed by a user who does not have the right to do so, Nginx displays the same error report “permission denied”.
+open_file_cache_errors on;

docker/nginxconfig/security.conf

@@ -28,4 +28,6 @@ add_header Referrer-Policy "no-referrer-when-downgrade";
 # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
 # add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'";
 #For Clouflare users comment this out as it's handle from the admin UI
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+# Prevent search engine indexing
+#add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";