server { listen 80; listen [::]:80; # Redirect all HTTP to HTTPS on the same host return 308 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # Catch-all; optionally set a specific server_name server_name _; ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Allow larger file uploads (profile pictures, logos, etc.) client_max_body_size 10M; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Proxy to application location / { proxy_pass http://app:8080; # Preserve original host including port (e.g., localhost:8443) proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Preserve cookies proxy_pass_request_headers on; proxy_cookie_path / /; } # Socket.IO (WebSocket) endpoint location /socket.io/ { proxy_pass http://app:8080/socket.io/; # WebSocket upgrade headers proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Preserve original host and client details proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts and buffering suitable for long-lived WS proxy_read_timeout 600s; proxy_send_timeout 600s; proxy_buffering off; } }