new-lil-sprouts/nginx-lilsprouts.conf at master · blalan05/new-lil-sprouts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
# Nginx configuration for lilsprouts.io
# Place this file in /etc/nginx/sites-available/lilsprouts.io
# Then create a symlink: sudo ln -s /etc/nginx/sites-available/lilsprouts.io /etc/nginx/sites-enabled/
# After Let's Encrypt setup, Certbot will modify this file automatically

# Map for WebSocket connections
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# HTTP server - redirects to HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name lilsprouts.io www.lilsprouts.io;

    # Allow Let's Encrypt to verify domain ownership
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    # Redirect all other HTTP traffic to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# HTTPS server - reverse proxy to application
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name lilsprouts.io www.lilsprouts.io;

    # SSL certificates (will be managed by Certbot)
    # After running certbot, these lines will be automatically added:
    ssl_certificate /etc/letsencrypt/live/lilsprouts.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/lilsprouts.io/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Default index files
    index index.html index.htm;

    # Reverse proxy to your application
    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;

        # Prevent redirect loops - tell the app it's already on HTTPS
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Ssl on;

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # Prevent the app from redirecting
        proxy_redirect off;

        # WebSocket support (if needed)
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

        # Cache bypass for upgrade requests
        proxy_cache_bypass $http_upgrade;

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
}