# Wordly.art - Production Nginx Config # HTTP to HTTPS redirect + main application routing # HTTP server - redirect to HTTPS + Let's Encrypt server { listen 80; listen [::]:80; server_name wordly.art www.wordly.art; # ACME challenge for Let's Encrypt location /.well-known/acme-challenge/ { root /var/www/certbot; } # Redirect all other traffic to HTTPS location / { return 301 https://wordly.art$request_uri; } } # HTTPS server - main application server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name wordly.art; # SSL certificates ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; # SSL hardening ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://wordly.art ws: wss:;" always; # File upload size client_max_body_size 100M; client_body_timeout 300s; proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; # API routes -> Backend location /api/ { limit_req zone=api_limit burst=20 nodelay; limit_conn conn_limit 10; proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, X-Requested-With, X-API-Key" always; add_header Access-Control-Allow-Credentials "true" always; if ($request_method = 'OPTIONS') { return 204; } } # Translation endpoint - extended timeouts location /translate { limit_req zone=upload_limit burst=5 nodelay; limit_conn conn_limit 5; proxy_pass http://backend/translate; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 60s; proxy_send_timeout 600s; proxy_read_timeout 600s; } # Health check location /health { proxy_pass http://backend/health; proxy_http_version 1.1; proxy_set_header Connection ""; } # Prometheus metrics (internal only - restrict access) location /metrics { # Allow only from Docker network and localhost allow 172.28.0.0/16; allow 127.0.0.1; deny all; proxy_pass http://backend/metrics; proxy_http_version 1.1; proxy_set_header Connection ""; } # API docs location /docs { proxy_pass http://backend/docs; proxy_http_version 1.1; proxy_set_header Host $host; } location /redoc { proxy_pass http://backend/redoc; proxy_http_version 1.1; proxy_set_header Host $host; } location /openapi.json { proxy_pass http://backend/openapi.json; proxy_http_version 1.1; proxy_set_header Host $host; } # Admin -> Frontend location /admin { proxy_pass http://frontend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Frontend static assets with aggressive caching location /_next/static/ { proxy_pass http://frontend; add_header Cache-Control "public, max-age=31536000, immutable"; } # Frontend -> Next.js location / { proxy_pass http://frontend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Error pages error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } # Redirect www to non-www server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name www.wordly.art; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; return 301 https://wordly.art$request_uri; }