server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' http://www.gstatic.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: http: https:; media-src 'self' blob: http: https:; connect-src 'self' http: https: ws: wss:; font-src 'self' data:;" always; # Hide nginx version server_tokens off; # SSE activity stream (must be before general /api/ to match first) location /api/public/activity/stream { proxy_pass http://api:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ''; proxy_buffering off; proxy_cache off; proxy_read_timeout 86400s; chunked_transfer_encoding off; } # SSE reactions stream (regex to match /api/reactions/ID/stream) location ~ ^/api/reactions/\d+/stream$ { proxy_pass http://api:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ''; proxy_buffering off; proxy_cache off; proxy_read_timeout 86400s; chunked_transfer_encoding off; } # WebSocket signaling for watch party (regex to match /api/watch-party/ID/signal) location ~ ^/api/watch-party/\d+/signal$ { proxy_pass http://api:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400s; proxy_send_timeout 86400s; proxy_buffering off; } # SSE watch party stream (regex to match /api/watch-party/ID/stream) location ~ ^/api/watch-party/\d+/stream$ { proxy_pass http://api:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ''; proxy_buffering off; proxy_cache off; proxy_read_timeout 86400s; chunked_transfer_encoding off; } # API proxy (preserve /api/ prefix) location /api/ { proxy_pass http://api:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 50m; } # Proxy thumbnail requests to nginx video server (^~ takes precedence over regex) location ^~ /thumbnails/ { proxy_pass http://nginx:80/thumbnails/; proxy_http_version 1.1; proxy_set_header Host $host; expires 7d; add_header Cache-Control "public, max-age=604800"; } # Proxy video requests to nginx video server (^~ takes precedence over regex) location ^~ /videos/ { proxy_pass http://nginx:80/videos/; proxy_http_version 1.1; proxy_set_header Host $host; } # SPA routing - serve index.html for all non-file routes location / { try_files $uri $uri/ /index.html; } # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } }