dillonhafer/nginx.conf

## nginx.conf
# APEX & NON-TLS
server {
  listen 80;
  listen [::]:80;
  server_name example.com www.example.com;
  return 301 https://www.example.com$request_uri;
}

server {
  listen 80;
  listen [::]:80;
  server_name api.example.com;
  return 301 https://api.example.com$request_uri;
}

server {
  ssl on;
  listen 443;
  listen [::]:443;
  server_name example.com;
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;
  ssl_certificate     /etc/letsencrypt/live/www.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
  ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;
  return 301 https://www.budgetal.com$request_uri;
}

# Frontend Website Config
server {
  listen 443 default_server;
  listen [::]:443;
  ssl on;
  server_name www.example.com;
  root /home/deploy/example-production/build;

  # HSTS
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  # Secure Headers
  add_header X-Frame-Options DENY;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header X-Permitted-Cross-Domain-Policies none;

  # TLS
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;
  ssl_certificate     /etc/letsencrypt/live/www.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
  ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;

  location / {
    gzip_static on;
    try_files $uri /index.html;

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_disable "MSIE [1-6]\.";
    gzip_comp_level 6;
    gzip_types application/javascript application/json text/javascript application/x-javascript text/css image/x-icon image/png image/jpeg image/gif;
  }

  client_max_body_size 4G;
  keepalive_timeout 10;
}

# Backend Config
server {
  listen 443;
  listen [::]:443 ssl http2;
  ssl on;

  server_name api.example.com;
  root /home/deploy/example-production/build;

  # HSTS
  add_header Strict-Transport-Security "max-age=31536000" always;

  # Secure Headers
  add_header X-Frame-Options DENY;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Content-Type-Options nosniff;
  add_header X-Permitted-Cross-Domain-Policies none;

  # TLS
  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;
  ssl_certificate     /etc/letsencrypt/live/api.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
  ssl_protocols      TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;

  if (-f $document_root/maintenance_mode_enabled) {
    return 503;
  }

  error_page 503 = @maintenance;
  location @maintenance {
    more_set_headers "Content-Type: application/json";

    if ($request_method = OPTIONS) {
      return 204;
    }
    return 503 "{}";
  }

  client_max_body_size 4G;
  keepalive_timeout 10;

  location / {
    # CORS Headers
    more_set_headers "Access-Control-Allow-Origin: https://www.example.com";
    more_set_headers "Access-Control-Allow-Credentials: true";
    more_set_headers "Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PATCH, PUT";
    more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,X-Budgetal-Session,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";

    if ($request_method = OPTIONS) {
      return 204;
    }

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_pass http://localhost:3000/;
    proxy_redirect http://localhost:3000/ http://$server_name/;
  }
}
	# APEX & NON-TLS
	server {
	listen 80;
	listen [::]:80;
	server_name example.com www.example.com;
	return 301 https://www.example.com$request_uri;
	}

	server {
	listen 80;
	listen [::]:80;
	server_name api.example.com;
	return 301 https://api.example.com$request_uri;
	}

	server {
	ssl on;
	listen 443;
	listen [::]:443;
	server_name example.com;
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;
	return 301 https://www.budgetal.com$request_uri;
	}

	# Frontend Website Config
	server {
	listen 443 default_server;
	listen [::]:443;
	ssl on;
	server_name www.example.com;
	root /home/deploy/example-production/build;

	# HSTS
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	# Secure Headers
	add_header X-Frame-Options DENY;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	add_header X-Permitted-Cross-Domain-Policies none;

	# TLS
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;

	location / {
	gzip_static on;
	try_files $uri /index.html;

	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_disable "MSIE [1-6]\.";
	gzip_comp_level 6;
	gzip_types application/javascript application/json text/javascript application/x-javascript text/css image/x-icon image/png image/jpeg image/gif;
	}

	client_max_body_size 4G;
	keepalive_timeout 10;
	}

	# Backend Config
	server {
	listen 443;
	listen [::]:443 ssl http2;
	ssl on;

	server_name api.example.com;
	root /home/deploy/example-production/build;

	# HSTS
	add_header Strict-Transport-Security "max-age=31536000" always;

	# Secure Headers
	add_header X-Frame-Options DENY;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Content-Type-Options nosniff;
	add_header X-Permitted-Cross-Domain-Policies none;

	# TLS
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!DH+3DES:!ADH:!AECDH:!MD5;

	if (-f $document_root/maintenance_mode_enabled) {
	return 503;
	}

	error_page 503 = @maintenance;
	location @maintenance {
	more_set_headers "Content-Type: application/json";

	if ($request_method = OPTIONS) {
	return 204;
	}
	return 503 "{}";
	}

	client_max_body_size 4G;
	keepalive_timeout 10;

	location / {
	# CORS Headers
	more_set_headers "Access-Control-Allow-Origin: https://www.example.com";
	more_set_headers "Access-Control-Allow-Credentials: true";
	more_set_headers "Access-Control-Allow-Methods: GET, POST, OPTIONS, DELETE, PATCH, PUT";
	more_set_headers "Access-Control-Allow-Headers: DNT,X-CustomHeader,X-Budgetal-Session,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type";

	if ($request_method = OPTIONS) {
	return 204;
	}

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-NginX-Proxy true;
	proxy_pass http://localhost:3000/;
	proxy_redirect http://localhost:3000/ http://$server_name/;
	}
	}