46 lines
1.4 KiB
Nginx Configuration File
46 lines
1.4 KiB
Nginx Configuration File
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name _;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Reasonable hardening — TLS is terminated by an external reverse proxy
|
|
# so we don't add HSTS here (let the edge own that header).
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header Referrer-Policy "same-origin" always;
|
|
|
|
# Internal liveness for the docker healthcheck.
|
|
location = /healthz {
|
|
access_log off;
|
|
return 200 "ok\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
|
|
# Proxy API calls to the Flask service on the compose network.
|
|
location /api/ {
|
|
proxy_pass http://api:8000;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 60s;
|
|
client_max_body_size 64m;
|
|
}
|
|
|
|
# SPA fallback — every unknown route returns index.html.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
# Long cache for hashed assets.
|
|
location ~* \.(?:js|css|woff2?|svg|png|jpg|jpeg|webp|ico)$ {
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
try_files $uri =404;
|
|
}
|
|
}
|