nginx.conf

worker_processes 1;

events {
    worker_connections 1024;
}

http {
    # per far funzionare i mimetypes, altrimenti al browser arriva tutto in text/plain
    include mime.types;
    sendfile on;

    upstream node-app {
        ip_hash; # per mantenere la sessione dell'utente, un ip in ingresso viene portato sempre allo stesso server di upstream
        server node1:3000;
        server node2:3000;
        server node3:3000;
    }

    server {
        listen 80;
        listen [::]:80;

        # redireziona tutto il traffico HTTP verso HTTPS
        location / {
            return 301 https://$host$request_uri;
        }
    }

    server {
        # usiamo http2 e ssl
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name localhost;

        # certificato e chiave privata
        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;

        # scambio dei parametri con DH
        ssl_dhparam /etc/nginx/certs/dhparam.pem;

        # parametri aggiuntivi per la sessione SSL (consigliati da Mozilla)
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;
        ssl_session_tickets off;

        # definizione protocolli e algoritmi accettati
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;

        # HTTP Strict Transport Security (HSTS), obbliga i client a usare HTTPS
        add_header Strict-Transport-Security "max-age=63072000" always;

        location / {
            root /var/www/html/static;
            try_files $uri @backend; # instead of 404, proxy back to express using a named location block;
        }

        location @backend {
            # Per impostare la sessione sono necessari questi header, visto che l'app node parla HTTP
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            # Supporto websocket
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            proxy_pass http://node-app;
            proxy_redirect off;
        }
    }
}