From bcb26ab103babe31fdc9fe35e0bf7f7c361c5416 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio <ozz@stacklok.com>
Date: Wed, 15 Jan 2025 07:59:36 +0200
Subject: [PATCH] Add all-in-one minimal nginx config

The nginx configuration uses a lot of defaults that work well in
server-like environments. However, this is not optimized for a local
dev-environment or single-container as codegate is meant to run.

The nginx server spawns several processes which mostly remain idle. This
is wasteful and it is taking over resources that could be used for
something else. The intention of this new configuration is to minimize
footprint.

Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>
---
 Dockerfile |  2 +-
 nginx.conf | 78 +++++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 63 insertions(+), 17 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8983fc08..761cbdfa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -78,7 +78,7 @@ RUN chown -R codegate /var/lib/nginx && \
     chown -R codegate /var/log/nginx && \
     chown -R codegate /run
 
-COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY nginx.conf /etc/nginx/nginx.conf
 
 # Remove include /etc/nginx/sites-enabled/*; from the default nginx.conf
 # This way we don't introduce unnecessary configurations nor serve
diff --git a/nginx.conf b/nginx.conf
index b46e56e9..87259672 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -1,22 +1,68 @@
-server {
-  listen 9090;
+worker_processes 1;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
 
-  server_name localhost;
+events {
+	worker_connections 128;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+
+	##
+	# Disable unnecessary features
+	##
+
+	server_tokens off;
+	autoindex off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log off;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	server {
+		listen 9090;
+
+		server_name localhost;
 
-  root /var/www/html;
-  index index.html;
+		add_header X-Frame-Options SAMEORIGIN;
+		add_header X-Content-Type-Options nosniff;
+		add_header X-XSS-Protection "1; mode=block";
 
-  location / {
-    try_files $uri /index.html =404;
-  }
+		root /var/www/html;
+		index index.html;
 
-  # Serve certificates from /app/codegate_volume/certs at /certificates
-  location /certificates/codegate_ca.crt {
-      alias /app/codegate_volume/certs/ca.crt;
-      types { application/x-x509-ca-cert crt; }
-      default_type application/x-x509-ca-cert;
-  }
+		location / {
+			try_files $uri /index.html =404;
+			expires 1h; # Cache files for 1 hour
+			add_header Cache-Control "public, max-age=3600";
+		}
 
-  error_log /var/log/nginx/error.log;
-  access_log /var/log/nginx/access.log;
+		# Serve certificates from /app/codegate_volume/certs at /certificates
+		location /certificates/codegate_ca.crt {
+			alias /app/codegate_volume/certs/ca.crt;
+			types { application/x-x509-ca-cert crt; }
+			default_type application/x-x509-ca-cert;
+		}
+	}
 }