Refactor Nginx configuration for improved performance and security

nginx.conf

@@ -1,31 +1,95 @@
-worker_processes 1;
+#------------------------------------------------------------------
+# Global Settings
+#------------------------------------------------------------------
+worker_processes auto;
+worker_rlimit_nofile 100000;
 
-events { worker_connections 1024; }
+events {
+    worker_connections 4096;
+    multi_accept on;
+}
 
 http {
-  include       mime.types;
-  default_type  application/octet-stream;
-  sendfile       on;
-  keepalive_timeout 65;
+    # Basic includes
+    include       /opt/bitnami/nginx/conf/mime.types;
+    default_type  application/octet-stream;
 
-  server {
-    listen       7860;
-    server_name  localhost;
+    # I/O optimizations
+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+    keepalive_timeout 65;
 
-    root   /usr/share/nginx/html;
-    index  index.html;
+    # Caching open file descriptors
+    open_file_cache          max=1000 inactive=20s;
+    open_file_cache_valid    30s;
+    open_file_cache_min_uses 2;
+    open_file_cache_errors   off;
 
-    # Serve files, fallback to index.html for client‑side routing
-    location / {
-      try_files $uri $uri/ /index.html;
-    }
+    # Hide Nginx version
+    server_tokens off;
+
+    #------------------------------------------------------------------
+    # Gzip Compression
+    #------------------------------------------------------------------
+    gzip               on;
+    gzip_disable       "msie6";
+    gzip_vary          on;
+    gzip_proxied       any;
+    gzip_comp_level    5;
+    gzip_buffers       16 8k;
+    gzip_http_version  1.1;
+    gzip_types
+        text/plain
+        text/css
+        application/json
+        application/javascript
+        text/xml
+        application/xml
+        application/xml+rss
+        text/javascript;
+
+    # (If your image supports Brotli, you could also enable it here)
+
+    #------------------------------------------------------------------
+    # Server Block
+    #------------------------------------------------------------------
+    server {
+        listen       7860;
+        listen       [::]:7860;
+        server_name  localhost;
+
+        root   /usr/share/nginx/html;
+        index  index.html;
+
+        # Security headers
+        add_header X-Frame-Options       "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection      "1; mode=block";
+        add_header Referrer-Policy       "no-referrer-when-downgrade";
+        # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+        # SPA routing: try file, dir, then fallback to index.html
+        location / {
+            try_files $uri $uri/ /index.html;
+        }
+
+        # Static assets: long cache + no logs
+        location ~* \.(?:css|js|json|txt|xml|woff2?|ttf|eot)$ {
+            access_log off;
+            log_not_found off;
+            expires 30d;
+            add_header Cache-Control "public, no-transform";
+        }
+
+        location ~* \.(?:png|jpe?g|gif|ico|svg)$ {
+            access_log off;
+            log_not_found off;
+            expires 30d;
+            add_header Cache-Control "public, no-transform";
+        }
 
-    # Optional: caching static assets
-    location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico)$ {
-      expires 30d;
-      add_header Cache-Control "public";
+        # Fallback 404s to index for client‑side routing
+        error_page 404 /index.html;
     }
-  }
 }
-    
-