Files
clube67.com/nginx/clube67.conf
T

115 lines
3.5 KiB
Plaintext

# ── Upstream: Next.js frontend ──
upstream frontend {
server 127.0.0.1:3000;
}
# ── Upstream: Express API backend ──
upstream backend {
server 127.0.0.1:3001;
}
# ── HTTP → HTTPS redirect ──
server {
listen 80;
server_name clube67.com www.clube67.com;
return 301 https://$host$request_uri;
}
# ── Main HTTPS server ──
server {
listen 443 ssl http2;
server_name clube67.com www.clube67.com;
# SSL (managed by certbot)
ssl_certificate /etc/letsencrypt/live/clube67.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/clube67.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
# ── Security Headers ──
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# ── Gzip / Brotli ──
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
text/plain text/css text/xml text/javascript
application/json application/javascript application/xml
application/rss+xml image/svg+xml font/woff2;
# ── Uploads (static) ──
location /uploads/ {
alias /www/wwwroot/clube67.com/uploads/;
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# ── API proxy ──
location /api/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Disable directory listing
autoindex off;
}
# ── WebSocket ──
location /socket.io/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400s;
}
# ── Next.js static assets ──
location /_next/static/ {
proxy_pass http://frontend;
expires 365d;
add_header Cache-Control "public, immutable";
access_log off;
}
# ── Frontend (catch-all) ──
location / {
proxy_pass http://frontend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# ── Disable hidden files ──
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# ── File size ──
client_max_body_size 10M;
}