docfast/infrastructure/nginx/docfast.dev

server {
    server_name docfast.dev www.docfast.dev;

    # Increase client max body size for file uploads
    client_max_body_size 10m;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";

    # Proxy to the application
    location / {
        proxy_pass http://127.0.0.1:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 60s;
        proxy_connect_timeout 10s;
        
        # WebSocket support (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_cache_bypass $http_upgrade;
    }

    # Health check endpoint (bypass proxy for direct container health check)
    location /health {
        access_log off;
        proxy_pass http://127.0.0.1:3100/health;
    }

    # Rate limiting for API endpoints
    location /api/ {
        limit_req zone=api_limit burst=10 nodelay;
        proxy_pass http://127.0.0.1:3100;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # SSL configuration (managed by Certbot)
    listen 443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/docfast.dev/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/docfast.dev/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}

# Rate limiting zone (add to main nginx.conf or here)
# limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

# Redirect HTTP to HTTPS
server {
    if ($host = docfast.dev) {
        return 301 https://$host$request_uri;
    }

    if ($host = www.docfast.dev) {
        return 301 https://docfast.dev$request_uri;
    }

    listen 80;
    server_name docfast.dev www.docfast.dev;
    return 404;
}