🔒 Enhance Nginx configuration with improved gzip settings, additional security headers, caching rules, API proxy settings, WebSocket support, health check endpoint, and updated error page handling

2026-01-29 06:34:24 +00:00
parent 688f75babf
commit 77ec6436a8
1 changed files with 53 additions and 5 deletions
--- a/code/websites/pokedex.online/nginx.conf
+++ b/code/websites/pokedex.online/nginx.conf
@@ -8,7 +8,18 @@ server {

    # Enable gzip compression
    gzip on;
-    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;

    # Serve static files
    location / {
@@ -19,6 +30,39 @@ server {
            expires 1y;
            add_header Cache-Control "public, immutable";
        }
+        
+        # Don't cache HTML files
+        location ~* \.(html)$ {
+            expires -1;
+            add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate";
+        }
+    }
+
+    # Proxy to backend API server (OAuth proxy + Gamemaster API)
+    location /api/ {
+        proxy_pass http://backend:3000/;
+        proxy_http_version 1.1;
+        
+        # Proxy headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        
+        # WebSocket support (if needed later)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        
+        # Timeout settings
+        proxy_connect_timeout 10s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffer settings
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
    }

    # Proxy Challonge API requests to avoid CORS
@@ -58,11 +102,15 @@ server {
        proxy_read_timeout 30s;
    }

-    # Security headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
+    # Health check endpoint
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }

    # Error pages
    error_page 404 /index.html;
+    error_page 500 502 503 504 /index.html;
 }
+