64 lines
2.6 KiB
Plaintext
64 lines
2.6 KiB
Plaintext
# Production SPA + API reverse proxy for the applicant app (frontend_user, port 8080).
|
|
# Serves the minified Vite build only — no dev server, no /src, no sourcemaps. TLS terminates
|
|
# on the host reverse proxy (Caddy/nginx); this listens HTTP inside the Docker network.
|
|
|
|
server {
|
|
listen 8080;
|
|
server_name _;
|
|
server_tokens off; # do not advertise the nginx version
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Defense-in-depth headers (inherited by locations that set no add_header of their own).
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
|
# A Content-Security-Policy is recommended but must enumerate the app's real sources.
|
|
# The applicant PDF export currently pulls @react-pdf NotoSerif fonts from remote URLs —
|
|
# self-host those first, then enable a locked-down policy, e.g.:
|
|
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self'" always;
|
|
|
|
client_max_body_size 50m;
|
|
|
|
gzip on;
|
|
gzip_comp_level 5;
|
|
gzip_min_length 1024;
|
|
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
|
|
|
|
# Same-origin API + submitted PDFs → backend (the browser never talks to be0 directly).
|
|
location /api/ {
|
|
proxy_pass http://be0:4402;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_connect_timeout 300;
|
|
proxy_send_timeout 300;
|
|
proxy_read_timeout 300;
|
|
}
|
|
|
|
location /submitted-initiatives/ {
|
|
proxy_pass http://be0:4402;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Content-addressed build assets (hashed filenames) — safe to cache hard.
|
|
# Only `expires` here so the server-level security headers are still inherited.
|
|
location /assets/ {
|
|
expires 1y;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# SPA history fallback — unknown routes return index.html, never a listing or source file.
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|