# Production SPA + API reverse proxy (fe0 container, port 8080). # TLS terminates on the host reverse proxy (Caddy/nginx); this listens HTTP inside Docker. server { listen 8080; server_name _; root /usr/share/nginx/html; index index.html; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; client_max_body_size 50m; location /api/ { proxy_pass http://be0:4402; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 300; proxy_send_timeout 300; proxy_read_timeout 300; } location /submitted-initiatives/ { proxy_pass http://be0:4402; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /assets/ { expires 7d; try_files $uri =404; } location / { try_files $uri $uri/ /index.html; } }