cc

Author: deep-div

nginx/config/prod.conf

@@ -1,110 +1,111 @@
-https {
-    log_format custom '$remote_addr - $server_addr [$time_local] '
-                      '"$request" $status $body_bytes_sent '
-                      '"$http_referer" "$http_user_agent"';
-    access_log /var/log/nginx/access.log custom;
-    # ===============================
-    # DEFAULT DENY HTTP & HTTPS
-    # ===============================
-    server {
-        listen 80 default_server;
-        server_name _;
-        return 444;
-    }
-    server {
-        listen 443 ssl default_server;
-        server_name _;
-        ssl_reject_handshake on;
-    }
-    # ===============================
-    # HTTP → HTTPS
-    # ===============================
-    server {
-        listen 80;
-        server_name coldemailgenrator.online www.coldemailgenrator.online;
-        return 301 https://$host$request_uri;
-    }
-    # ===============================
-    # PUBLIC ACCESS (FRONTEND)
-    # ===============================
+# ===============================
+# LOGGING
+# ===============================
+log_format custom '$remote_addr - $server_addr [$time_local] '
+                  '"$request" $status $body_bytes_sent '
+                  '"$http_referer" "$http_user_agent"';
+access_log /var/log/nginx/access.log custom;
+# ===============================
+# DEFAULT DENY HTTP & HTTPS
+# ===============================
+server {
+    listen 80 default_server;
+    server_name _;
+    return 444;
+}
+server {
+    listen 443 ssl default_server;
+    server_name _;
+    ssl_reject_handshake on;
+}
+# ===============================
+# HTTP → HTTPS
+# ===============================
+server {
+    listen 80;
+    server_name coldemailgenrator.online www.coldemailgenrator.online;
+    return 301 https://$host$request_uri;
+}
+# ===============================
+# PUBLIC ACCESS (FRONTEND)
+# ===============================
 
-    upstream frontend_upstream {
-        server frontend:8501;  # service name + internal port
-    }
-    server {
-        listen 443 ssl http2;
-        server_name coldemailgenrator.online www.coldemailgenrator.online;
+upstream frontend_upstream {
+    server frontend:8501;  # service name + internal port
+}
+server {
+    listen 443 ssl http2;
+    server_name coldemailgenrator.online www.coldemailgenrator.online;
 
-        ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
 
-        ssl_protocols TLSv1.2 TLSv1.3;
-        ssl_ciphers HIGH:!aNULL:!MD5;
-        
-        # ===============================
-        # SECURITY HEADERS
-        # ===============================
-        add_header X-Frame-Options "DENY" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-        add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    
+    # ===============================
+    # SECURITY HEADERS
+    # ===============================
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
 
-        location / {
-            proxy_pass http://frontend_upstream;
+    location / {
+        proxy_pass http://frontend_upstream;
 
-            proxy_set_header Host $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
 
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection "upgrade";
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
 
-            proxy_buffering off;
-        }
+        proxy_buffering off;
     }
+}
 
-    # ===============================
-    # HTTP → HTTPS (MONITORING)
-    # ===============================
-    server {
-        listen 80;
-        server_name monitoring.coldemailgenrator.online;
-        return 301 https://$host$request_uri;
-    }
-    # ===============================
-    # PRIVATE VPN MONITORING (IP ONLY)
-    # ===============================
+# ===============================
+# HTTP → HTTPS (MONITORING)
+# ===============================
+server {
+    listen 80;
+    server_name monitoring.coldemailgenrator.online;
+    return 301 https://$host$request_uri;
+}
+# ===============================
+# PRIVATE VPN MONITORING (IP ONLY)
+# ===============================
 
-    server {
-        listen 443 ssl http2;
-        server_name monitoring.coldemailgenrator.online;
+server {
+    listen 443 ssl http2;
+    server_name monitoring.coldemailgenrator.online;
 
-        ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
-        ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
 
-        # VPN ONLY
-        allow 172.16.100.0/27;
-        allow 172.17.0.0/16;  # Docker bridge subnet
-        deny all;
+    # VPN ONLY
+    allow 172.16.100.0/27;
+    allow 172.17.0.0/16;  # Docker bridge subnet
+    deny all;
 
-        location /monitoring/prometheus/ {
-            proxy_pass http://prometheus:9090;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header X-Forwarded-Prefix /monitoring/prometheus;
-            proxy_redirect off;
-        }
+    location /monitoring/prometheus/ {
+        proxy_pass http://prometheus:9090;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Prefix /monitoring/prometheus;
+        proxy_redirect off;
+    }
 
-        location /monitoring/grafana/ {
-            proxy_pass http://grafana:3000;
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-Proto https;
-            proxy_set_header X-Forwarded-Prefix /monitoring/grafana;
-            proxy_redirect off;
-        }
+    location /monitoring/grafana/ {
+        proxy_pass http://grafana:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Forwarded-Prefix /monitoring/grafana;
+        proxy_redirect off;
     }
 }