# Must be defined at http-level (outside server block) log_format timed '$time_iso8601 $status $request_method $request_uri ($request_time s)'; server { # Port 8080 for unprivileged nginx (non-root) listen 8080; server_name _; root /usr/share/nginx/html; index index.html; # Access log control (suppressed when LOG_LEVEL is warn or higher) access_log ${NGINX_ACCESS_LOG}; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: blob:; connect-src 'self' https://api.github.com; frame-src 'self'; form-action 'self'; upgrade-insecure-requests" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=()" always; # Allow larger file uploads (for medication images and data import/export) client_max_body_size 50M; location / { try_files $uri /index.html; } # ------------------------------------------------------------------------- # High-frequency polling endpoints — suppress access logs at info level # (visible at debug level via NGINX_POLLING_LOG) # ------------------------------------------------------------------------- location = /api/doses/taken { access_log ${NGINX_POLLING_LOG}; resolver 127.0.0.11 valid=10s ipv6=off; set $backend_upstream ${BACKEND_URL}; rewrite ^/api/(.*)$ /$1 break; proxy_pass http://$backend_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; proxy_cookie_path / /; } location ~ ^/api/share/[^/]+/doses$ { access_log ${NGINX_POLLING_LOG}; resolver 127.0.0.11 valid=10s ipv6=off; set $backend_upstream ${BACKEND_URL}; rewrite ^/api/(.*)$ /$1 break; proxy_pass http://$backend_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; proxy_cookie_path / /; } location = /api/health { access_log ${NGINX_POLLING_LOG}; resolver 127.0.0.11 valid=10s ipv6=off; set $backend_upstream ${BACKEND_URL}; rewrite ^/api/(.*)$ /$1 break; proxy_pass http://$backend_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass_header Set-Cookie; proxy_cookie_path / /; } location /api/ { # Use variable for runtime DNS resolution (nginx resolves at startup by default) # Docker embedded DNS (127.0.0.11) with 10s cache resolver 127.0.0.11 valid=10s ipv6=off; set $backend_upstream ${BACKEND_URL}; # Strip /api prefix (nginx doesn't auto-rewrite when using variables in proxy_pass) rewrite ^/api/(.*)$ /$1 break; proxy_pass http://$backend_upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Pass cookies through proxy_pass_header Set-Cookie; proxy_cookie_path / /; # Timeout for uploads proxy_read_timeout 60s; proxy_send_timeout 60s; # Prevent buffering upstream responses to temp files (images can be large) # nginx streams directly to client instead of buffering the full response proxy_max_temp_file_size 0; } }