events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # Access log format – captures real client IP via X-Forwarded-For log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; gzip on; gzip_types text/plain text/css application/json application/javascript; sendfile on; # ── HTTP → HTTPS redirect ───────────────────────────────────────────────── server { listen 80; server_name DOMAIN_PLACEHOLDER; return 301 https://$host$request_uri; } # ── HTTPS server ────────────────────────────────────────────────────────── server { listen 443 ssl; server_name DOMAIN_PLACEHOLDER; ssl_certificate /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/DOMAIN_PLACEHOLDER/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; access_log /var/log/nginx/access.log main; # Static frontend (served by nginx directly) location / { root /usr/share/nginx/html; index index.html; try_files $uri $uri/ /index.html; } # Backend API location /api/ { proxy_pass http://backend:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Short link redirects location /s/ { proxy_pass http://backend:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Health check location /health { proxy_pass http://backend:8000; } } }