# Production Nginx Configuration # Based on default.conf but adapted for single-container deployment # PHP-FPM runs in same container via Supervisor upstream php-upstream { server 127.0.0.1:9000; } # HTTP Server - Redirect to HTTPS server { listen 80; listen [::]:80; server_name _; # Health check on HTTP location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } # ACME Challenge for Let's Encrypt location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/certbot; allow all; } # Redirect all other traffic to HTTPS location / { return 301 https://$host$request_uri; } } # HTTPS Server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; # SSL Configuration ssl_certificate /var/www/ssl/cert.pem; ssl_certificate_key /var/www/ssl/key.pem; ssl_protocols TLSv1.3 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; root /var/www/html/public; index index.php index.html; # Security headers add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # Gzip gzip on; gzip_vary on; gzip_types text/css application/javascript application/json image/svg+xml; gzip_comp_level 5; # ACME Challenge for Let's Encrypt location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/certbot; allow all; } # Health check endpoint location /health { access_log off; return 200 "healthy\n"; add_header Content-Type text/plain; } # Static assets with caching location ~* \.(jpg|jpeg|png|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; try_files $uri =404; } location ~* \.(css|js|map)$ { expires 1w; add_header Cache-Control "public, max-age=604800"; try_files $uri =404; } # Service Worker location = /sw.js { alias /var/www/html/public/sw.js; add_header Cache-Control "no-cache, must-revalidate"; add_header Service-Worker-Allowed "/"; } location = /js/sw-push.js { alias /var/www/html/public/js/sw-push.js; add_header Cache-Control "no-cache, must-revalidate"; add_header Service-Worker-Allowed "/"; add_header Content-Type "application/javascript; charset=utf-8"; } # Main application location / { try_files $uri $uri/ /index.php?$query_string; autoindex off; } # PHP-FPM location ~ \.php$ { try_files $uri =404; include fastcgi_params; fastcgi_pass php-upstream; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param APP_ENV production; fastcgi_param HTTPS on; fastcgi_read_timeout 60s; fastcgi_connect_timeout 60s; fastcgi_send_timeout 60s; fastcgi_buffer_size 128k; fastcgi_buffers 4 256k; fastcgi_busy_buffers_size 256k; fastcgi_keep_conn on; fastcgi_hide_header X-Powered-By; } # Deny access to hidden files location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; } # Prevent PHP execution in uploads location ~* /(?:uploads|files)/.*\.php$ { deny all; } # Error pages error_page 404 /errors/404.html; error_page 403 /errors/403.html; error_page 500 502 503 504 /errors/50x.html; location /errors/ { internal; } server_tokens off; }