# ------------------------------------------------------------ # lcbp3.np-dms.work # ------------------------------------------------------------ map $scheme $hsts_header { https "max-age=63072000; preload"; } server { set $forward_scheme http; set $server "dms_frontend"; set $port 3000; listen 80; listen [::]:80; listen 443 ssl; listen [::]:443 ssl; server_name lcbp3.np-dms.work; http2 on; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-cache.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; # Force SSL include conf.d/include/force-ssl.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-3_access.log proxy; error_log /data/logs/proxy-host-3_error.log warn; # ===== ขนาดไฟล์/timeout ระดับ Host ===== client_max_body_size 200m; client_body_timeout 60s; send_timeout 60s; # ===== Proxy headers พื้นฐาน (ให้ backend รู้ proto จริง) ===== proxy_set_header X-Forwarded-Proto $scheme; # ===== WebSocket/SSE header ระดับ Host ===== # หมายเหตุ: ถ้า $connection_upgrade ยังไม่ถูกนิยามในระบบคุณ # ให้เปลี่ยนบรรทัดที่สองเป็น: proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; # ===== สำคัญสำหรับคุกกี้ HttpOnly ===== # อย่าตัด Set-Cookie ของ backend ทิ้ง proxy_pass_header Set-Cookie; # ===== Security headers ระดับ Host ===== add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options SAMEORIGIN always; add_header Referrer-Policy "no-referrer-when-downgrade" always; # เปิด HSTS เมื่อมั่นใจว่าทุก subdomain ใช้ HTTPS เท่านั้น # (ถ้ามีซับโดเมนที่ยังไม่ HTTPS ให้เอา includeSubDomains ออกชั่วคราว) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location /health { proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 15s; proxy_send_timeout 15s; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_frontend:3000; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location /_next/static/ { proxy_set_header Host $host; add_header Cache-Control "public, max-age=31536000, immutable"; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_frontend:3000; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location /api/ { # === upstream headers พื้นฐาน === proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # แก้จาก "https" → ใช้ $scheme ให้ถูกตามจริง # WebSocket/SSE proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_redirect off; # >>> สำคัญสำหรับคุกกี้ <<< proxy_pass_header Set-Cookie; # ให้ Nginx ส่ง Set-Cookie กลับ client (ห้ามตัดทิ้ง) # ---- CORS allowlist ---- set $cors_allow_origin ""; if ($http_origin ~* "^https?://(localhost(:\\d+)?|127\\.0\\.0\\.1(:\\d+)?|np-dms\\.work|www\\.np-dms\\.work|lcbp3\\.np-dms\\.work)$") { set $cors_allow_origin $http_origin; } add_header Vary "Origin" always; add_header Access-Control-Allow-Credentials "true" always; # ถ้าต้องการ allow เฉพาะที่ match เท่านั้น ให้คง pattern เดิมไว้ add_header Access-Control-Allow-Origin $cors_allow_origin always; # เผย header ที่จำเป็นต่อการดาวน์โหลด/ดูไฟล์ add_header Access-Control-Expose-Headers "Content-Disposition,Content-Length" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Referer, User-Agent, X-Requested-With, Cache-Control, Pragma" always; if ($request_method = OPTIONS) { add_header Content-Length 0; add_header Content-Type text/plain; return 204; } proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://dms_backend:3001; # Force SSL include conf.d/include/force-ssl.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } location / { # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security $hsts_header always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; }