# ------------------------------------------------------------ # lcbp3.np-dms.work # ------------------------------------------------------------ map $scheme $hsts_header { https "max-age=63072000; preload"; } server { set $forward_scheme http; set $server "dms_frontend"; set $port 3000; listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name lcbp3.np-dms.work; http2 on; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-cache.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; # Force SSL include conf.d/include/force-ssl.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-7_access.log proxy; error_log /data/logs/proxy-host-7_error.log warn; # ===== ขนาดไฟล์/timeout ระดับ Host ===== client_max_body_size 200m; client_body_timeout 60s; send_timeout 60s; # ===== Proxy headers พื้นฐาน (ส่งให้ backend ทุกตัว) ===== # ที่นี่จะเป็นที่กำหนด header หลักเพียงแห่งเดียว proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # ===== WebSocket/SSE header ระดับ Host ===== # พร้อมสำหรับทุก location ที่อาจต้องใช้ WebSocket proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # ใช้ "upgrade" โดยตรงจะเสถียรกว่า # ===== สำคัญสำหรับคุกกี้ HttpOnly (ให้ทุก backend) ===== proxy_pass_header Set-Cookie; # ===== Security headers ระดับ Host (ยอดเยี่ยมมากครับ) ===== add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location /health { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 15s; proxy_send_timeout 15s; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_frontend:3000; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location /_next/static/ { proxy_set_header Host $host; add_header Cache-Control "public, max-age=31536000, immutable"; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_frontend:3000; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location /api/ { # ===== CORS Configuration ===== set $cors_allow_origin ""; if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") { set $cors_allow_origin $http_origin; } add_header Vary "Origin" always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Origin $cors_allow_origin always; add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; # ===== OPTIONS preflight ===== if ($request_method = OPTIONS) { add_header Content-Length 0; add_header Content-Type text/plain; add_header Access-Control-Allow-Origin $cors_allow_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; return 204; } proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_backend:3001; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location / { # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; }