events {} http { # Log warnings # TODO: Better path error_log /var/log/nginx.log warn; # No idea, but nginx refuses to start without it server_names_hash_bucket_size 64; # The redirection server server { listen 80 default_server; add_header Strict-Transport-Security "max-age=31536000" always; return 301 https://$host$request_uri; } # The actual webserver duties server { # server_name lateinicus; listen 443 ssl http2; add_header Strict-Transport-Security "max-age=31536000" always; # Global CSP add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com; img-src 'self' https:; font-src https://fonts.googleapis.com https://fonts.gstatic.com; style-src 'self' https://fonts.googleapis.com 'unsafe-inline';" always; # SSL configuration ssl_certificate /etc/ssl/lateinicus.pem; ssl_certificate_key /etc/ssl/lateinicus.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ssl_session_cache shared:SSL:30m; ssl_session_timeout 20m; keepalive_timeout 70; # Enable gzip compression gzip on; gzip_min_length 256K; error_page 404 /lost.html; error_page 500 502 503 504 /error.html; # Status page for 404 location = /error.html { root /srv/www; } # Status page for 50X location = /lost.html { root /srv/www; } location = /privacy.pdf { root /srv/www; } # Reverse Proxy location /api/ { # Seems weird, but it is (Prevent /api/api/) rewrite /api/(.*) /api/$1 break; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://128.1.0.3:8080; } # There probably is a better solution using wildcards location = /app { return 301 https://$host/app/; } location = / { return 301 https://$host/app/; } # The web app location /app/ { # CSS might not get the correct Content-Type header include /etc/nginx/mime.types; root /srv/www; # For react-router try_files $uri /app/index.html; index index.html; } } }