server { listen 80; server_name localhost; root /usr/share/nginx/html; index index.html; # Increase max request size for logo uploads (32MB) client_max_body_size 32M; # Gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|svg|ico|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; } # API proxy to backend location /api/ { client_max_body_size 32M; proxy_pass http://backend:8080/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # CORS headers - Allow all origins add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD' always; add_header 'Access-Control-Allow-Headers' '*' always; add_header 'Access-Control-Expose-Headers' '*' always; add_header 'Access-Control-Max-Age' '3600' always; # Handle preflight requests if ($request_method = 'OPTIONS') { return 204; } } # SPA fallback location / { # CORS headers - Allow all origins for static content add_header 'Access-Control-Allow-Origin' '*' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS, PATCH, HEAD' always; add_header 'Access-Control-Allow-Headers' '*' always; try_files $uri $uri/ /index.html; } # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; }