events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; # HTTP server - redirect to HTTPS server { listen 3000; server_name motovaultpro.com *.motovaultpro.com localhost; # Redirect all HTTP traffic to HTTPS return 301 https://$host:3443$request_uri; } # HTTPS server server { listen 3443 ssl http2; server_name motovaultpro.com *.motovaultpro.com localhost; # SSL certificate configuration ssl_certificate /etc/nginx/certs/motovaultpro.com.crt; ssl_certificate_key /etc/nginx/certs/motovaultpro.com.key; # Modern SSL configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Security headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; root /usr/share/nginx/html; index index.html; # Handle client-side routing location / { try_files $uri $uri/ /index.html; } # API proxy to backend location /api { proxy_pass http://backend:3001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } # Enable gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json; } }