-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx-production-config.conf
More file actions
158 lines (129 loc) · 5.75 KB
/
Copy pathnginx-production-config.conf
File metadata and controls
158 lines (129 loc) · 5.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
# Enhanced NGINX Configuration for Nexjob Production
# This configuration addresses the authentication and proxy issues
server {
server_name nexjob.tech www.nexjob.tech;
# Enhanced proxy settings for better Supabase compatibility
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
# Essential headers for authentication and CORS
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Important for authentication flows
proxy_set_header Origin $scheme://$host;
proxy_set_header Referer $scheme://$host$request_uri;
# Disable proxy buffering for real-time features
proxy_buffering off;
proxy_cache_bypass $http_upgrade;
# Increase timeouts for admin operations
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Handle WebSocket connections properly
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
}
# Special handling for admin panel to prevent authentication issues
location /admin {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
# Enhanced headers for admin authentication
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# Critical for Supabase authentication
proxy_set_header Origin $scheme://$host;
proxy_set_header Referer $scheme://$host$request_uri;
# Disable all caching for admin panel
proxy_buffering off;
proxy_cache_bypass 1;
proxy_no_cache 1;
# Extended timeouts for admin operations
proxy_connect_timeout 120s;
proxy_send_timeout 120s;
proxy_read_timeout 120s;
# Ensure cookies are passed through correctly
proxy_cookie_domain localhost nexjob.tech;
proxy_cookie_path / /;
}
# API routes need special handling for CORS and authentication
location /api/ {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Essential for API authentication
proxy_set_header Origin $scheme://$host;
proxy_set_header Authorization $http_authorization;
# No caching for API routes
proxy_buffering off;
proxy_cache_bypass 1;
# Extended timeouts for API operations
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# Static assets can be cached
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Cache static assets
proxy_cache_valid 200 1h;
add_header Cache-Control "public, max-age=3600";
}
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# CORS headers for admin panel
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Origin "https://nexjob.tech" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, Cache-Control" always;
listen 443 ssl http2; # Enable HTTP/2 for better performance
ssl_certificate /etc/letsencrypt/live/nexjob.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexjob.tech/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Enhanced SSL settings
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
}
# Redirect HTTP to HTTPS
server {
listen 80;
server_name nexjob.tech www.nexjob.tech;
# Redirect all HTTP traffic to HTTPS
return 301 https://$host$request_uri;
}
# Redirect www to non-www (optional, for consistency)
server {
listen 443 ssl http2;
server_name www.nexjob.tech;
ssl_certificate /etc/letsencrypt/live/nexjob.tech/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/nexjob.tech/privkey.pem;
# Redirect www to non-www
return 301 https://nexjob.tech$request_uri;
}