events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; # ── Gzip compression ────────────────────────────────────────────────────── gzip on; gzip_types text/plain text/css application/javascript application/json; gzip_min_length 1000; # ── Rate limiting ───────────────────────────────────────────────────────── limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $binary_remote_addr zone=register:10m rate=3r/m; limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m; limit_req_status 429; server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # ── Security headers ────────────────────────────────────────────────── add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'; frame-ancestors 'none'" always; # ── Static files ────────────────────────────────────────────────────── location / { try_files $uri $uri.html $uri/ =404; } # Cache static assets aggressively and suppress access log noise location ~* \.(css|js|svg|ico|png|jpg|webp|woff2?)$ { expires 7d; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; access_log off; } # ── Auth / admin rate limiting ──────────────────────────────────────── location = /api/auth/login { limit_req zone=login burst=3 nodelay; proxy_pass http://api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Cache-Control "no-store" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } location = /api/auth/register { limit_req zone=register burst=2 nodelay; proxy_pass http://api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Cache-Control "no-store" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } location /api/admin/ { limit_req zone=admin burst=5 nodelay; proxy_pass http://api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Cache-Control "no-store" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } # ── API reverse proxy ───────────────────────────────────────────────── # All /api/* requests are forwarded to the FastAPI container. # The container is reachable by its service name on the Docker network. location /api/ { proxy_pass http://api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Cache-Control "no-store" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } # ── Custom error pages ──────────────────────────────────────────────── error_page 404 /404.html; error_page 502 503 504 /50x.html; location = /404.html { internal; } location = /50x.html { internal; } } }