copper-tone-tech/web-hosts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
web-hosts/domains/coppertone.tech/frontend/nginx.conf
Derek Williams c7d6786039 Add full web-hosts state
2025-12-26 13:38:04 +01:00

173 lines
6.6 KiB
Nginx Configuration File
Raw Permalink Blame History

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/s;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s;
limit_req_status 429;
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html;
index index.html index.htm;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Note: Add Strict-Transport-Security when serving over HTTPS
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Content Security Policy - adjust as needed for your application
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' https://api.qrserver.com; frame-ancestors 'self';" always;
# Prevent caching of index.html to ensure fresh JS/CSS references
location = /index.html {
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
add_header Expires "0";
# Security headers (must be repeated in location blocks)
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' https://api.qrserver.com; frame-ancestors 'self';" always;
}
# Cache static assets (they have content hashes in filenames)
location /assets/ {
add_header Cache-Control "public, max-age=31536000, immutable";
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
}
# Serve markdown files with correct MIME type
location ~* \.md$ {
types {
text/plain md;
}
add_header Content-Type text/plain;
add_header Access-Control-Allow-Origin *;
}
# Auth Service API proxy (stricter rate limit for auth endpoints)
location /api/auth/ {
limit_req zone=auth_limit burst=10 nodelay;
proxy_pass http://auth-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Work Management Service API proxy
location /api/work/ {
limit_req zone=api_limit burst=30 nodelay;
proxy_pass http://work-management-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Payment Service API proxy
location /api/payment/ {
limit_req zone=api_limit burst=20 nodelay;
proxy_pass http://payment-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Blog Service API proxy
location /api/blog/ {
limit_req zone=api_limit burst=50 nodelay;
proxy_pass http://blog-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# IPFS Service API proxy
location /api/ipfs/ {
limit_req zone=api_limit burst=30 nodelay;
proxy_pass http://ipfs-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Increase timeouts for IPFS operations
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# Forum Service API proxy
location /api/forum/ {
limit_req zone=api_limit burst=50 nodelay;
proxy_pass http://forum-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Contact Service API proxy
location /api/contact/ {
limit_req zone=api_limit burst=10 nodelay;
proxy_pass http://contact-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# LLM Service API proxy
location /api/llm/ {
limit_req zone=api_limit burst=20 nodelay;
proxy_pass http://llm-service:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Cache hashed assets (immutable - hashes change on content change)
location ~* \.(?:css|js)$ {
expires 1y;
add_header Cache-Control "public, immutable";
try_files $uri =404;
}
# Don't cache HTML and service worker
location ~* (?:index\.html|service-worker\.js)$ {
expires -1;
add_header Cache-Control "no-cache, no-store, must-revalidate";
add_header Pragma "no-cache";
try_files $uri =404;
}
location / {
try_files $uri $uri/ /index.html;
}
# Optional: Gzip compression
gzip on;
gzip_vary on;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss text/javascript text/markdown;
}
Reference in New Issue View Git Blame Copy Permalink