nginx.sample.conf

# Nginx configuration for Node.js API with Kubernetes deployment
# Optimized for Docker containers and cloud-native architecture

# Upstream configuration for API backend
# In Kubernetes, this will typically be a Service name
upstream api_backend {
  # For Docker Compose: use service name 'api'
  # For Kubernetes: use service DNS name (e.g., node-api-service:3015)
  # For local testing without Docker: use 127.0.0.1:3015
  server api:3015 max_fails=3 fail_timeout=30s;

  # Keepalive connections to backend
  keepalive 32;
  keepalive_timeout 60s;
  keepalive_requests 100;
}

# Rate limiting zone - protects against DDoS and brute force
# 10MB zone can hold ~160k IP addresses
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
limit_req_status 429;

# Connection limiting per IP
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;

# HTTP server - redirect to HTTPS in production
server {
  listen 80;
  listen [::]:80;
  server_name api.yourdomain.com;

  # Health check endpoint (for Kubernetes liveness/readiness probes)
  location /health {
    access_log off;
    return 200 "healthy\n";
    add_header Content-Type text/plain;
  }

  # Redirect all HTTP traffic to HTTPS in production
  # Uncomment in production with valid SSL certificate
  # return 301 https://$server_name$request_uri;

  # For local development, proxy directly
  location / {
    include /etc/nginx/conf.d/proxy_params.conf;
    proxy_pass http://api_backend;
  }
}

# HTTPS server - uncomment for production
# server {
#   listen 443 ssl http2;
#   listen [::]:443 ssl http2;
#   server_name api.yourdomain.com;
#
#   # SSL Configuration
#   # In Kubernetes, typically handled by Ingress Controller or cert-manager
#   ssl_certificate /etc/nginx/ssl/cert.pem;
#   ssl_certificate_key /etc/nginx/ssl/key.pem;
#   ssl_protocols TLSv1.2 TLSv1.3;
#   ssl_ciphers HIGH:!aNULL:!MD5;
#   ssl_prefer_server_ciphers on;
#   ssl_session_cache shared:SSL:10m;
#   ssl_session_timeout 10m;
#
#   # HSTS (HTTP Strict Transport Security)
#   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#
#   # Security headers
#   add_header X-Frame-Options "SAMEORIGIN" always;
#   add_header X-Content-Type-Options "nosniff" always;
#   add_header X-XSS-Protection "1; mode=block" always;
#   add_header Referrer-Policy "no-referrer-when-downgrade" always;
#
#   # Request body size limit
#   client_max_body_size 10M;
#   client_body_buffer_size 128k;
#
#   # Timeouts
#   client_body_timeout 12s;
#   client_header_timeout 12s;
#   send_timeout 10s;
#
#   # Logging
#   access_log /var/log/nginx/api_access.log combined buffer=32k flush=5s;
#   error_log /var/log/nginx/api_error.log warn;
#
#   # Health check endpoint (no rate limiting)
#   location /health {
#     access_log off;
#     proxy_pass http://api_backend/health;
#     proxy_http_version 1.1;
#     proxy_set_header Connection "";
#   }
#
#   # API endpoints with rate limiting
#   location /api/ {
#     # Rate limiting: 100 requests per second, burst of 20
#     limit_req zone=api_limit burst=20 nodelay;
#     limit_conn conn_limit 10;
#
#     include /etc/nginx/conf.d/proxy_params.conf;
#     proxy_pass http://api_backend;
#   }
#
#   # Swagger/OpenAPI documentation (optional rate limiting)
#   location /api-docs {
#     limit_req zone=api_limit burst=10 nodelay;
#
#     include /etc/nginx/conf.d/proxy_params.conf;
#     proxy_pass http://api_backend;
#   }
#
#   # WebSocket support (if needed)
#   location /ws {
#     proxy_pass http://api_backend;
#     proxy_http_version 1.1;
#     proxy_set_header Upgrade $http_upgrade;
#     proxy_set_header Connection "upgrade";
#     proxy_set_header Host $host;
#     proxy_set_header X-Real-IP $remote_addr;
#     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#     proxy_set_header X-Forwarded-Proto $scheme;
#     proxy_read_timeout 86400;
#   }
#
#   # Deny access to hidden files
#   location ~ /\. {
#     deny all;
#     access_log off;
#     log_not_found off;
#   }
# }