# Production SPA + API reverse proxy for the publisher app (frontend_publisher, port 8080). # Serves the minified Vite build only — no dev server, no /src, no sourcemaps. TLS terminates # on the host reverse proxy (Caddy/nginx); this listens HTTP inside the Docker network. server { listen 8080; server_name _; server_tokens off; # do not advertise the nginx version root /usr/share/nginx/html; index index.html; # Defense-in-depth headers (inherited by locations that set no add_header of their own). add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; # A Content-Security-Policy is recommended but must enumerate the app's real sources. # The applicant PDF export currently pulls @react-pdf NotoSerif fonts from remote URLs — # self-host those first, then enable a locked-down policy, e.g.: # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self'" always; client_max_body_size 50m; gzip on; gzip_comp_level 5; gzip_min_length 1024; gzip_types text/plain text/css application/javascript application/json image/svg+xml; # Same-origin API + submitted PDFs → backend (the browser never talks to be0 directly). location /api/ { proxy_pass http://be0:4402; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; } location /submitted-initiatives/ { proxy_pass http://be0:4402; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Content-addressed build assets (hashed filenames) — safe to cache hard. # Only `expires` here so the server-level security headers are still inherited. location /assets/ { expires 1y; try_files $uri =404; } # SPA history fallback — unknown routes return index.html, never a listing or source file. location / { try_files $uri $uri/ /index.html; } }