nginx je nejpopulárnější reverse proxy. Tady je 10 konfiguračních hacků pro výkon i bezpečnost.
1. Gzip¶
gzip on;
gzip_vary on;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript;
2. Security headers¶
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-Content-Type-Options “nosniff” always;
add_header Strict-Transport-Security “max-age=31536000” always;
3. Rate limiting¶
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
location /api/ { limit_req zone=api burst=20 nodelay; }
4. Caching statiky¶
location ~* .(jpg|png|css|js|woff2)$ { expires 1y; add_header Cache-Control “public, immutable”; }
5. WebSocket proxy¶
location /ws/ {
proxy_pass http://backend:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
6. Load balancing¶
upstream backend { least_conn; server 10.0.0.1:3000; server 10.0.0.2:3000; }
7. Custom error pages¶
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
8. Blokování botů¶
if ($http_user_agent ~* (SemrushBot|AhrefsBot)) { return 403; }
9. SSL optimalizace¶
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
10. Test konfigurace¶
nginx -t
nginx -s reload
Tip¶
Vždy nginx -t před reloadem. Jedna chyba v syntaxi může shodit server.