server { server_name docfast.dev www.docfast.dev; # Increase client max body size for file uploads client_max_body_size 10m; # Security headers add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "strict-origin-when-cross-origin"; # Proxy to the application location / { proxy_pass http://127.0.0.1:3100; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 60s; proxy_connect_timeout 10s; # WebSocket support (if needed) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_cache_bypass $http_upgrade; } # Health check endpoint (bypass proxy for direct container health check) location /health { access_log off; proxy_pass http://127.0.0.1:3100/health; } # Rate limiting for API endpoints location /api/ { limit_req zone=api_limit burst=10 nodelay; proxy_pass http://127.0.0.1:3100; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # SSL configuration (managed by Certbot) listen 443 ssl http2; ssl_certificate /etc/letsencrypt/live/docfast.dev/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/docfast.dev/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } # Rate limiting zone (add to main nginx.conf or here) # limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; # Redirect HTTP to HTTPS server { if ($host = docfast.dev) { return 301 https://$host$request_uri; } if ($host = www.docfast.dev) { return 301 https://docfast.dev$request_uri; } listen 80; server_name docfast.dev www.docfast.dev; return 404; }