Files
sciagent/frontend_user/nginx/default.conf
T
Thinh Lam 688fac73e9
CI/CD / backend (push) Failing after 2m8s
CI/CD / frontend (push) Failing after 1m40s
CI/CD / deploy (push) Has been skipped
sciagent code + Gitea Actions CI/CD
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 09:38:30 +07:00

64 lines
2.6 KiB
Plaintext

# Production SPA + API reverse proxy for the applicant app (frontend_user, port 8080).
# Serves the minified Vite build only — no dev server, no /src, no sourcemaps. TLS terminates
# on the host reverse proxy (Caddy/nginx); this listens HTTP inside the Docker network.
server {
listen 8080;
server_name _;
server_tokens off; # do not advertise the nginx version
root /usr/share/nginx/html;
index index.html;
# Defense-in-depth headers (inherited by locations that set no add_header of their own).
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# A Content-Security-Policy is recommended but must enumerate the app's real sources.
# The applicant PDF export currently pulls @react-pdf NotoSerif fonts from remote URLs —
# self-host those first, then enable a locked-down policy, e.g.:
# add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; font-src 'self' data:; connect-src 'self'" always;
client_max_body_size 50m;
gzip on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_types text/plain text/css application/javascript application/json image/svg+xml;
# Same-origin API + submitted PDFs → backend (the browser never talks to be0 directly).
location /api/ {
proxy_pass http://be0:4402;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
}
location /submitted-initiatives/ {
proxy_pass http://be0:4402;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Content-addressed build assets (hashed filenames) — safe to cache hard.
# Only `expires` here so the server-level security headers are still inherited.
location /assets/ {
expires 1y;
try_files $uri =404;
}
# SPA history fallback — unknown routes return index.html, never a listing or source file.
location / {
try_files $uri $uri/ /index.html;
}
}