############################################################## # Nginx config for: www.abc-foundry-sand-form.com # Place this file at: /etc/nginx/sites-available/sand-form # Then: sudo ln -s /etc/nginx/sites-available/sand-form /etc/nginx/sites-enabled/ # Then: sudo nginx -t && sudo systemctl reload nginx ############################################################## server { listen 80; server_name abc-foundry-sand-form.com www.abc-foundry-sand-form.com; # Redirect HTTP → HTTPS return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name abc-foundry-sand-form.com www.abc-foundry-sand-form.com; # SSL — managed by Certbot / Let's Encrypt ssl_certificate /etc/letsencrypt/live/abc-foundry-sand-form.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/abc-foundry-sand-form.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Block common secret/config probes at the edge. location ~* (^|/)\.(env|git|svn|hg|ssh)(/|\.|$) { return 404; } location ~* ^/(public/|app/|config/)?(\.env.*|id_rsa|id_dsa|authorized_keys|known_hosts|secrets?\.ya?ml|credentials?\.(json|ya?ml|ini)|application\.properties|runtime-config\.js|env\.js|__env\.js|config\.(js|json)|settings\.json|firebase-config\.json|swagger\.json|openapi\.(json|ya?ml))$ { return 404; } # Proxy all traffic to Node.js backend (which also serves the built React app) location / { proxy_pass http://127.0.0.1:4000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 60s; } # Gzip gzip on; gzip_types text/plain application/json application/javascript text/css; }