79 lines
2.7 KiB
Plaintext
79 lines
2.7 KiB
Plaintext
# =============================================================================
|
|
# MOPC Platform - Nginx Reverse Proxy Configuration
|
|
# =============================================================================
|
|
# Install: sudo ln -s /opt/mopc/docker/nginx/mopc-platform.conf /etc/nginx/sites-enabled/
|
|
# Test: sudo nginx -t
|
|
# Reload: sudo systemctl reload nginx
|
|
|
|
# Rate limiting zone
|
|
limit_req_zone $binary_remote_addr zone=mopc_limit:10m rate=10r/s;
|
|
|
|
# MOPC Platform - HTTPS
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name portal.monaco-opc.com;
|
|
|
|
# SSL certificates (managed by Certbot)
|
|
ssl_certificate /etc/letsencrypt/live/portal.monaco-opc.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/portal.monaco-opc.com/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self';" always;
|
|
|
|
# File upload size (500MB for videos)
|
|
client_max_body_size 500M;
|
|
|
|
# Rate limiting
|
|
limit_req zone=mopc_limit burst=20 nodelay;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/mopc-access.log;
|
|
error_log /var/log/nginx/mopc-error.log;
|
|
|
|
# Next.js application
|
|
location / {
|
|
proxy_pass http://127.0.0.1:7600;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Timeouts for large file uploads
|
|
proxy_connect_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
}
|
|
|
|
# Static files caching
|
|
location /_next/static {
|
|
proxy_pass http://127.0.0.1:7600;
|
|
proxy_cache_valid 200 365d;
|
|
add_header Cache-Control "public, max-age=31536000, immutable";
|
|
}
|
|
|
|
# Health check endpoint (no access log noise)
|
|
location /api/health {
|
|
proxy_pass http://127.0.0.1:7600;
|
|
access_log off;
|
|
}
|
|
}
|
|
|
|
# HTTP to HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name portal.monaco-opc.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|