diff --git a/deploy/nginx.conf.example b/deploy/nginx.conf.example new file mode 100644 index 0000000..e750dae --- /dev/null +++ b/deploy/nginx.conf.example @@ -0,0 +1,55 @@ +# Newbury Nights — nginx reverse proxy example +# +# Camera (getUserMedia) and DeviceOrientation require a secure context, +# so the site MUST be served over HTTPS. nginx terminates TLS here and +# forwards plain HTTP to the Node app on 127.0.0.1:3000. +# +# Adjust server_name, certificate paths, and the upstream port to taste. + +upstream newbury_nights { + server 127.0.0.1:3000; + keepalive 32; +} + +# Redirect HTTP -> HTTPS +server { + listen 80; + listen [::]:80; + server_name newbury.example.com; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name newbury.example.com; + + # --- TLS (point these at your real certs, e.g. from certbot) --- + ssl_certificate /etc/letsencrypt/live/newbury.example.com/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/newbury.example.com/privkey.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + # Allow uploaded ghost GIFs/images up to the app's 8MB limit (+ headroom). + client_max_body_size 10m; + + # Let the Node app see it's behind TLS (so secure cookies / trust proxy work). + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_http_version 1.1; + proxy_set_header Connection ""; + + # Cache static assets served by the app. + location ~* \.(?:css|js|gif|png|jpe?g|webp|svg|woff2?)$ { + proxy_pass http://newbury_nights; + proxy_cache_valid 200 1h; + expires 1h; + add_header Cache-Control "public"; + } + + location / { + proxy_pass http://newbury_nights; + } +}