From 737b7ad081a206f59fe83a3a9a76f538b282ec09 Mon Sep 17 00:00:00 2001
From: iamdoubz <4871781+iamdoubz@users.noreply.github.com>
Date: Tue, 5 Aug 2025 10:25:23 -0500
Subject: [PATCH] Create nginx.conf

---
 docs/nginx.conf | 92 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 92 insertions(+)
 create mode 100644 docs/nginx.conf

diff --git a/docs/nginx.conf b/docs/nginx.conf
new file mode 100644
index 00000000..d5cf2ba8
--- /dev/null
+++ b/docs/nginx.conf
@@ -0,0 +1,92 @@
+# Robust maxun nginx config file
+# DO NOT uncomment commented lines unless YOU know what they mean and YOU know what YOU are doing!
+### HTTP server block ###
+server {
+    server_name maxun.my.domain;
+    root /usr/share/nginx/html;
+    listen 80;
+    server_tokens off;
+    return 301 https://$server_name$request_uri;
+}
+### HTTPS server block ###
+server {
+### Default config ###
+    server_name maxun.my.domain;
+    root /usr/share/nginx/html;
+    access_log /var/log/nginx/maxun_access.log;
+    error_log /var/log/nginx/maxun_error.log info;
+    listen 443 ssl;
+    http2 on;
+    server_tokens off;
+### SSL config ###
+    ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    #ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_prefer_server_ciphers off;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_stapling off;
+    ssl_stapling_verify off;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+    ssl_session_timeout 1d;
+    ssl_dhparam dh.pem;
+    #ssl_conf_command Options KTLS;
+### Performance tuning config ###
+    client_max_body_size 512M;
+    client_body_timeout 300s;
+    client_body_buffer_size 256k;
+    #pagespeed off;
+### Compression ###
+ ## gzip ##
+    gzip            on;
+    gzip_vary       on;
+    gzip_comp_level 5;
+    gzip_min_length 256;
+    gzip_disable    msie6;
+    gzip_proxied    expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_buffers    16 8k;
+    gzip_types      application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+ ## brotli: enable only if you have compiled nginx with brotli support!!! ##
+    #brotli            on;
+    #brotli_static     on;
+    #brotli_comp_level 6;
+    #brotli_types      application/atom+xml application/javascript application/json application/rss+xml
+    #                  application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
+    #                  application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
+    #                  font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
+    #                  image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+### Default headers ###
+    add_header Referrer-Policy                   "no-referrer"       always;
+    add_header X-Content-Type-Options            "nosniff"           always;
+    add_header X-Frame-Options                   "SAMEORIGIN"        always;
+    add_header X-Permitted-Cross-Domain-Policies "none"              always;
+    add_header X-Robots-Tag                      "noindex, nofollow" always;
+    add_header X-XSS-Protection                  "1; mode=block"     always;
+    add_header Permissions-Policy                "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self), interest-cohort=()";
+### Proxy rules ###
+    # Backend web traffic and websockets
+    location  ~ ^/(auth|storage|record|workflow|robot|proxy|api-docs|api|webhook|socket.io)(/|$) {
+        proxy_pass http://localhost:8080; #Change the port number to match .env file BACKEND_PORT variable
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    # Frontend web traffic
+    location / {
+        proxy_pass         http://localhost:5173; #Change the port number to match .env file FRONTEND_PORT variable
+        proxy_http_version 1.1;
+        proxy_set_header   Upgrade $http_upgrade;
+        proxy_set_header   Connection 'upgrade';
+        proxy_set_header   Host $host;
+        proxy_set_header   X-Real-IP $remote_addr;
+        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}