# ── Warden HTTPS nginx config ─────────────────────────────────────────────────

# This template is processed by the official nginx Docker image via envsubst.

# The variable ${WARDEN_DOMAIN} is substituted automatically at container startup.

#

# Used by: docker-compose.https.yml

# Do NOT edit nginx.conf for HTTPS — this file is the production entrypoint.

# HTTP → HTTPS redirect + ACME challenge (Let's Encrypt domain validation)

server {

listen 80;

server_name ${WARDEN_DOMAIN};

server_tokens off;

# Let's Encrypt certificate renewal validation

location /.well-known/acme-challenge/ {

root /var/www/certbot;

}

# Redirect everything else to HTTPS

location / {

return 301 https://$host$request_uri;

}

}

# HTTPS server

server {

listen 443 ssl;

http2 on;

server_name ${WARDEN_DOMAIN};

server_tokens off;

root /usr/share/nginx/html;

index index.html;

# ── TLS ──────────────────────────────────────────────────────────────────

ssl_certificate /etc/letsencrypt/live/${WARDEN_DOMAIN}/fullchain.pem;

ssl_certificate_key /etc/letsencrypt/live/${WARDEN_DOMAIN}/privkey.pem;

# Mozilla Intermediate compatibility (TLS 1.2 + 1.3)

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

ssl_prefer_server_ciphers off;

ssl_session_timeout 1d;

ssl_session_cache shared:SSL:10m;

ssl_session_tickets off;

# OCSP stapling — faster cert verification for clients

ssl_stapling on;

ssl_stapling_verify on;

ssl_trusted_certificate /etc/letsencrypt/live/${WARDEN_DOMAIN}/chain.pem;

resolver 1.1.1.1 8.8.8.8 valid=300s;

resolver_timeout 5s;

# ── Security headers ─────────────────────────────────────────────────────

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

add_header X-Content-Type-Options "nosniff" always;

add_header X-Frame-Options "DENY" always;

add_header X-XSS-Protection "1; mode=block" always;

add_header Referrer-Policy "strict-origin-when-cross-origin" always;

add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

add_header Content-Security-Policy

"default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';"

always;

# ── API proxy ─────────────────────────────────────────────────────────────

location /api/ {

proxy_pass http://api:8000;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto https;

proxy_read_timeout 120s;

# Upload size — matches the 50 MB backend limit

client_max_body_size 52m;

}

location /auth/ {

proxy_pass http://api:8000;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto https;

}

location /health {

proxy_pass http://api:8000;

proxy_set_header Host $host;

}

# ── React SPA ─────────────────────────────────────────────────────────────

location / {

try_files $uri $uri/ /index.html;

}

# Cache immutable static assets (content-hashed filenames from Vite)

location ~* \.(js|css|png|jpg|ico|svg|woff2?)$ {

expires 1y;

add_header Cache-Control "public, immutable";

}

}