CardSync/nginx/nginx.conf

58 lines
1.6 KiB
Nginx Configuration File

# Redirect HTTP → HTTPS
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
# HTTPS
server {
listen 443 ssl;
http2 on;
server_name _;
ssl_certificate /etc/nginx/certs/cert.pem;
ssl_certificate_key /etc/nginx/certs/key.pem;
# Moderne TLS-Konfiguration (Mozilla "intermediate")
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
# HSTS (1 Jahr)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Frontend (statische Dateien)
root /usr/share/nginx/html;
index index.html;
# API zum Backend
location /api/ {
proxy_pass http://backend:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
}
location /auth/ {
proxy_pass http://backend:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /health {
proxy_pass http://backend:8000;
}
# Frontend-Dateien
location / {
try_files $uri $uri/ /index.html;
}
}