From 0c109439b382455e3aaa9f25367c49c34c192cb6 Mon Sep 17 00:00:00 2001
From: Alexander Tarasov <alex.tarasov@sentry.io>
Date: Mon, 29 Apr 2024 20:05:38 +0200
Subject: [PATCH] feat: add NGINX as a reverse proxy example (#1257)

---
 src/docs/self-hosted/reverse-proxy.mdx | 57 ++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 4 deletions(-)

diff --git a/src/docs/self-hosted/reverse-proxy.mdx b/src/docs/self-hosted/reverse-proxy.mdx
index b48551f2bc..a77ed7fb0a 100644
--- a/src/docs/self-hosted/reverse-proxy.mdx
+++ b/src/docs/self-hosted/reverse-proxy.mdx
@@ -2,7 +2,7 @@
 title: 'Self-Hosted Reverse Proxy'
 ---
 
-Adding a reverse proxy in front of your Sentry deployment is strongly recommended for one big reason: you can fine tune every configuration to fit your current setup. A dedicated reverse proxy that does SSL/TLS termination that also forwards the client IP address as Docker Compose internal network (as this is [close to impossible to get otherwise)](https://github.com/getsentry/self-hosted/issues/554) would give you the best Sentry experience.
+Adding a reverse proxy in front of your Sentry deployment is strongly recommended for one big reason: you can fine tune every configuration to fit your current setup. A dedicated reverse proxy that does SSL/TLS termination that also forwards the client IP address as Docker Compose internal network (as this is [close to impossible to get otherwise](https://github.com/getsentry/self-hosted/issues/554)) would give you the best Sentry experience.
 
 Once you have setup a reverse proxy to your Sentry instance, you should modify the `system.url-prefix` in the `config.yml` file to match your new URL and protocol. You should also update the SSL/TLS section in the `sentry/sentry.conf.py` script, otherwise you may get CSRF-related errors when performing certain actions such as configuring integrations.
 
@@ -36,15 +36,64 @@ Endpoint for health checks is available on `/_health/` endpoint using HTTP proto
 
 ## Reverse Proxy Examples
 
-<!-- ### NGINX
+### NGINX
 
-Put some NGINX config here... Give link to tune NGINX.
+We recommend installing NGINX since that's what we are using on [sentry.io](https://sentry.io/).
+
+```nginx
+error_log /var/log/nginx/error.log warn;
+
+# generated 2024-04-29, Mozilla Guideline v5.7, nginx 1.24.0, OpenSSL 3.0.13, modern configuration, no HSTS, no OCSP
+# https://ssl-config.mozilla.org/#server=nginx&version=1.24.0&config=modern&openssl=3.0.13&hsts=false&ocsp=false&guideline=5.7
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    ssl_certificate /etc/letsencrypt/live/sentry.yourcompany.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/sentry.yourcompany.com/privkey.pem;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+    ssl_session_tickets off;
+
+    ssl_dhparam /etc/letsencrypt/ffdhe2048.txt;
+
+    # modern configuration
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+
+    proxy_buffering on;
+    proxy_buffer_size    128k;
+    proxy_buffers        4 256k;
+
+    location / {
+        include proxy_params;
+        proxy_pass http://your-sentry-ip:9000;
+    }
+}
+
+server {
+    server_name sentry.yourcompany.com;
+    listen 80;
+    listen [::]:80;
+
+    root /var/www/html;
+    # Allow certbot to do http-01 challenges
+    location /.well-known/ {
+        try_files $uri =404;
+    }
+    # otherwise redirect to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+```
+
+To use NGINX with ACME server such as Let's Encrypt, refer to this [blog post by Nginx](https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/).
 
 It is also recommended to fine tune your NGINX for some performance benefits. You can refer to these blog posts from NGINX:
 
 - [Tuning NGINX for Performance - NGINX](https://www.nginx.com/blog/tuning-nginx/)
 - [Performance Tuning - Tips & Tricks - NGINX](https://www.nginx.com/blog/performance-tuning-tips-tricks/)
--->
 
 ### Caddy