116 lines
3.6 KiB
Nginx Configuration File
116 lines
3.6 KiB
Nginx Configuration File
# HTTPS server only - no HTTP redirect
|
|
server {
|
|
listen 443 ssl default_server;
|
|
server_name _;
|
|
|
|
# SSL Configuration
|
|
ssl_certificate /etc/nginx/certs/dockmon.crt;
|
|
ssl_certificate_key /etc/nginx/certs/dockmon.key;
|
|
|
|
# Modern SSL configuration
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
|
|
# SSL session caching
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Enable gzip compression
|
|
gzip on;
|
|
gzip_types text/plain text/css text/javascript application/javascript application/json;
|
|
gzip_min_length 1000;
|
|
|
|
# Proxy API requests to local backend (same container)
|
|
location /api/ {
|
|
proxy_pass http://127.0.0.1:8080/api/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $server_name;
|
|
|
|
# Timeouts for long-running requests
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# Proxy WebSocket connections
|
|
location /ws/ {
|
|
proxy_pass http://127.0.0.1:8080/ws/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Disable buffering for WebSocket
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_redirect off;
|
|
|
|
# WebSocket timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 3600s;
|
|
}
|
|
|
|
# Main WebSocket for events
|
|
location = /ws {
|
|
proxy_pass http://127.0.0.1:8080/ws;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Disable buffering for WebSocket
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_redirect off;
|
|
|
|
# WebSocket timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 3600s;
|
|
}
|
|
|
|
# Direct backend health check
|
|
location /api/health {
|
|
proxy_pass http://127.0.0.1:8080/health;
|
|
access_log off;
|
|
}
|
|
|
|
# Serve static files
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
# Don't cache HTML files - always fetch fresh
|
|
location ~* \.html$ {
|
|
expires -1;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0";
|
|
}
|
|
|
|
# Cache static assets (images, fonts, etc)
|
|
location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
}
|
|
} |