From f4fe919fa4560eb7d992fc239e76e270c60da5b3 Mon Sep 17 00:00:00 2001
From: gamvo74 <gamalveo@gmail.com>
Date: Wed, 25 Feb 2026 10:17:36 -0500
Subject: [PATCH] Finalized Nginx HTTPS config with shared SSL settings and
 security headers

---
 docker-compose.yml                       |  1 +
 infrastructure/nginx/conf.d/api.conf     |  5 ++++-
 infrastructure/nginx/conf.d/default.conf | 23 -----------------------
 infrastructure/nginx/conf.d/web.conf     |  5 ++++-
 infrastructure/nginx/ssl.conf            | 10 ++++++++++
 5 files changed, 19 insertions(+), 25 deletions(-)
 delete mode 100644 infrastructure/nginx/conf.d/default.conf
 create mode 100644 infrastructure/nginx/ssl.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index 0db7511..85e9e67 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -55,6 +55,7 @@ services:
       - "443:443"
     volumes:
       - ./infrastructure/nginx/conf.d:/etc/nginx/conf.d
+      - ./infrastructure/nginx/ssl.conf:/etc/nginx/ssl.conf:ro
       - /etc/letsencrypt:/etc/letsencrypt:ro
     depends_on:
       - api
diff --git a/infrastructure/nginx/conf.d/api.conf b/infrastructure/nginx/conf.d/api.conf
index bef278e..ec9c4bd 100644
--- a/infrastructure/nginx/conf.d/api.conf
+++ b/infrastructure/nginx/conf.d/api.conf
@@ -1,7 +1,9 @@
 server {
     listen 80;
     server_name api.proselitigant.tech;
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -10,6 +12,7 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/proselitigant.tech/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/proselitigant.tech/privkey.pem;
+    include /etc/nginx/ssl.conf;
 
     # Security headers
     add_header X-Frame-Options DENY;
diff --git a/infrastructure/nginx/conf.d/default.conf b/infrastructure/nginx/conf.d/default.conf
deleted file mode 100644
index fbefc65..0000000
--- a/infrastructure/nginx/conf.d/default.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-server {
-    listen 80;
-    server_name localhost;
-
-    location / {
-        proxy_pass http://web:3000;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;
-    }
-
-    location /api {
-        rewrite ^/api/(.*) /$1 break;
-        proxy_pass http://api:4000;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_cache_bypass $http_upgrade;
-    }
-}
diff --git a/infrastructure/nginx/conf.d/web.conf b/infrastructure/nginx/conf.d/web.conf
index 2b1243b..cb6a8d3 100644
--- a/infrastructure/nginx/conf.d/web.conf
+++ b/infrastructure/nginx/conf.d/web.conf
@@ -1,7 +1,9 @@
 server {
     listen 80;
     server_name proselitigant.tech;
-    return 301 https://$host$request_uri;
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 server {
@@ -10,6 +12,7 @@ server {
 
     ssl_certificate /etc/letsencrypt/live/proselitigant.tech/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/proselitigant.tech/privkey.pem;
+    include /etc/nginx/ssl.conf;
 
     # Security headers
     add_header X-Frame-Options SAMEORIGIN;
diff --git a/infrastructure/nginx/ssl.conf b/infrastructure/nginx/ssl.conf
new file mode 100644
index 0000000..776b7c7
--- /dev/null
+++ b/infrastructure/nginx/ssl.conf
@@ -0,0 +1,10 @@
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+ssl_session_tickets off;
+
+# modern configuration
+ssl_protocols TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+# HSTS (ngx_http_headers_module is required) (6 months)
+add_header Strict-Transport-Security "max-age=15768000" always;