# Local Docker usage should work over plain HTTP on the mapped port. server { listen 80; listen [::]:80; server_name _; # Docker embedded DNS — defer resolving "backend" until request time (avoids # startup race: nginx loads config before the backend container is registered). resolver 127.0.0.11 ipv6=off valid=10s; root /usr/share/nginx/html; index index.html; # Gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml; gzip_min_length 256; # SPA client-side routing: serve index.html for all non-file routes location / { try_files $uri $uri/ /index.html; } # Proxy REST API to backend location /api/ { set $backend_host backend; proxy_pass http://$backend_host:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Proxy WebSocket to backend location /ws { set $backend_host backend; proxy_pass http://$backend_host:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400; } # Cache static assets aggressively location /assets/ { expires 1y; add_header Cache-Control "public, immutable"; } # Security headers add_header Content-Security-Policy "frame-ancestors 'self' https://web.telegram.org https://*.telegram.org;" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } server { listen 443 ssl; listen [::]:443 ssl; server_name _; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; resolver 127.0.0.11 ipv6=off valid=10s; root /usr/share/nginx/html; index index.html; # Gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript image/svg+xml; gzip_min_length 256; # SPA client-side routing: serve index.html for all non-file routes location / { try_files $uri $uri/ /index.html; } # Proxy REST API to backend location /api/ { set $backend_host backend; proxy_pass http://$backend_host:8080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Proxy WebSocket to backend location /ws { set $backend_host backend; proxy_pass http://$backend_host:8080; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400; } # Cache static assets aggressively location /assets/ { expires 1y; add_header Cache-Control "public, immutable"; } # Security headers add_header Content-Security-Policy "frame-ancestors 'self' https://web.telegram.org https://*.telegram.org;" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; }