diff --git a/nginx b/nginx index 3646892a..08f7e3ed 100644 --- a/nginx +++ b/nginx @@ -1,170 +1,177 @@ -# ------------------------------------------------------------ -# Server block for api.evibes.com -# ------------------------------------------------------------ -server { - server_name api.evibes.com b2b.evibes.com; - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/evibes.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/evibes.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +set $domain evibes.com; +set $backend_root evibes-backend-django; +set $frontend_root evibes-frontend-vue; +upstream django_backend { + server 127.0.0.1:8000; +} + +upstream prom_backend { + server 127.0.0.1:9090; +} + +server { + listen 443 ssl http2; + server_name api.$domain b2b.$domain; + ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options nosniff always; + add_header Referrer-Policy no-referrer-when-downgrade always; client_max_body_size 100M; - location / { - proxy_pass http://localhost:8000; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://django_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } - # Serve favicon (static file—CORS headers are inherited from the server block) location /favicon.ico { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/static; + root /var/jenkins/workspace/$backend_root/static; } location = /robots.txt { add_header Access-Control-Allow-Origin "*"; - alias /var/jenkins/workspace/evibes-backend-django/static/robots_backend.txt; - default_type text/plain; + alias /var/jenkins/workspace/$backend_root/static/robots_backend.txt; + default_type text/plain; } - # Media files (served with CORS via the server block add_header directives) location /media/ { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/; + root /var/jenkins/workspace/$backend_root; } - # Static files (served with CORS via the server block add_header directives) location /static/ { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/; + root /var/jenkins/workspace/$backend_root; } error_page 500 502 503 504 /maintenance.html; location = /maintenance.html { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/static; + root /var/jenkins/workspace/$backend_root/static; internal; } } -# ------------------------------------------------------------ -# Server block for evibes.com and www.evibes.com (Frontend) -# ------------------------------------------------------------ server { - server_name evibes.com www.evibes.com; - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/evibes.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/evibes.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + listen 443 ssl http2; + server_name $domain www.$domain; + ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options nosniff always; + add_header Referrer-Policy no-referrer-when-downgrade always; + + location ~* \.(?:js|css|png|jpe?g|gif|svg|woff2?)$ { + root /var/jenkins/workspace/$frontend_root/dist; + try_files $uri =404; + add_header Cache-Control "public, max-age=31536000, immutable"; + access_log off; + } location /favicon.ico { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/static; + root /var/jenkins/workspace/$backend_root/static; } location / { - root /var/jenkins/workspace/evibes-frontend-vue/dist; - try_files $uri $uri/ /index.html @maintenance; + root /var/jenkins/workspace/$frontend_root/dist; + try_files $uri $uri/ /index.html @maintenance; } location = /index.html { - root /var/jenkins/workspace/evibes-frontend-vue/dist; - try_files $uri @maintenance; + root /var/jenkins/workspace/$frontend_root/dist; + try_files $uri @maintenance; } location = /robots.txt { add_header Access-Control-Allow-Origin "*"; - alias /var/jenkins/workspace/evibes-backend-django/static/robots_frontend.txt; - default_type text/plain; + alias /var/jenkins/workspace/$backend_root/static/robots_frontend.txt; + default_type text/plain; } location ~ ^/sitemap(?:-(?P
[a-z]+)(?:-(?P\d+))?)?\.xml$ { - proxy_pass http://localhost:8000$request_uri; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Accept "application/xml"; + proxy_pass http://django_backend$request_uri; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Accept "application/xml"; } location @maintenance { - return 503; + return 503; } error_page 503 404 500 502 504 /maintenance.html; location = /maintenance.html { - root /var/jenkins/workspace/evibes-backend-django/static; add_header Access-Control-Allow-Origin "*"; + root /var/jenkins/workspace/$backend_root/static; internal; } } -# ------------------------------------------------------------ -# Server block for prometheus.evibes.com -# ------------------------------------------------------------ server { - server_name prometheus.evibes.com; - listen 443 ssl; - ssl_certificate /etc/letsencrypt/live/evibes.com/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/evibes.com/privkey.pem; - include /etc/letsencrypt/options-ssl-nginx.conf; - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; - + listen 443 ssl http2; + server_name prometheus.$domain; + ssl_certificate /etc/letsencrypt/live/$domain/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/$domain/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_session_tickets off; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options nosniff always; + add_header Referrer-Policy no-referrer-when-downgrade always; client_max_body_size 100M; location / { - proxy_pass http://localhost:9090; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://prom_backend; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; } location = /robots.txt { add_header Access-Control-Allow-Origin "*"; - alias /var/jenkins/workspace/evibes-backend-django/static/robots_backend.txt; - default_type text/plain; + alias /var/jenkins/workspace/$backend_root/static/robots_backend.txt; + default_type text/plain; } location /favicon.ico { add_header Access-Control-Allow-Origin "*"; - root /var/jenkins/workspace/evibes-backend-django/static; + root /var/jenkins/workspace/$backend_root/static; } error_page 500 502 503 504 /maintenance.html; location = /maintenance.html { - root /var/jenkins/workspace/evibes-backend-django/static; add_header Access-Control-Allow-Origin "*"; + root /var/jenkins/workspace/$backend_root/static; internal; } } -# ------------------------------------------------------------ -# HTTP → HTTPS Redirects -# ------------------------------------------------------------ server { - if ($host = www.evibes.com) { - return 301 https://$host$request_uri; - } - if ($host = evibes.com) { - return 301 https://$host$request_uri; - } - server_name evibes.com www.evibes.com; listen 80; - return 404; -} - -server { - if ($host = api.evibes.com) { - return 301 https://$host$request_uri; - } - server_name api.evibes.com; - listen 80; - return 404; + server_name api.$domain b2b.$domain www.$domain $domain prometheus.$domain; + return 301 https://$host$request_uri; }