balikci/nginx/oltalama.conf

# Oltalama Nginx Configuration
# /etc/nginx/sites-available/oltalama

# Upstream definitions
upstream backend {
    server localhost:3000;
    keepalive 64;
}

upstream frontend {
    server localhost:4173;
    keepalive 64;
}

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com;
    
    # Let's Encrypt verification
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
    
    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name yourdomain.com;

    # SSL certificates (update with your actual paths)
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;

    # SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;

    # Client body size
    client_max_body_size 10M;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;

    # Rate limiting zone
    limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
    limit_req_status 429;

    # Backend API endpoints
    location /api {
        # Rate limiting
        limit_req zone=api_limit burst=20 nodelay;

        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        
        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # Tracking endpoint (no rate limiting for legitimate tracking)
    location /t/ {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Cache control
        add_header Cache-Control "no-cache, no-store, must-revalidate";
        add_header Pragma "no-cache";
        add_header Expires "0";
    }

    # Frontend static files
    location / {
        proxy_pass http://frontend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        
        # Cache static assets
        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
            proxy_pass http://frontend;
            expires 1y;
            add_header Cache-Control "public, immutable";
        }
    }

    # Logs
    access_log /var/log/nginx/oltalama-access.log combined;
    error_log /var/log/nginx/oltalama-error.log warn;
}
Domain support 2025-11-10 20:01:41 +03:00			`# Oltalama Nginx Configuration`
			`# /etc/nginx/sites-available/oltalama`

			`# Upstream definitions`
			`upstream backend {`
			`server localhost:3000;`
			`keepalive 64;`
			`}`

			`upstream frontend {`
			`server localhost:4173;`
			`keepalive 64;`
			`}`

			`# HTTP to HTTPS redirect`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name yourdomain.com;`

			`# Let's Encrypt verification`
			`location /.well-known/acme-challenge/ {`
			`root /var/www/html;`
			`}`

			`location / {`
			`return 301 https://$server_name$request_uri;`
			`}`
			`}`

			`# HTTPS server`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name yourdomain.com;`

			`# SSL certificates (update with your actual paths)`
			`ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;`
			`ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;`

			`# SSL configuration`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK;
			`ssl_prefer_server_ciphers on;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 10m;`
			`ssl_session_tickets off;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`# Security headers`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header Referrer-Policy "no-referrer-when-downgrade" always;`
			`add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;`

			`# Client body size`
			`client_max_body_size 10M;`

			`# Gzip compression`
			`gzip on;`
			`gzip_vary on;`
			`gzip_min_length 1024;`
			`gzip_proxied any;`
			`gzip_comp_level 6;`
			`gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;`

			`# Rate limiting zone`
			`limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;`
			`limit_req_status 429;`

			`# Backend API endpoints`
			`location /api {`
			`# Rate limiting`
			`limit_req zone=api_limit burst=20 nodelay;`

			`proxy_pass http://backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection 'upgrade';`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_cache_bypass $http_upgrade;`

			`# Timeouts`
			`proxy_connect_timeout 60s;`
			`proxy_send_timeout 60s;`
			`proxy_read_timeout 60s;`
			`}`

			`# Tracking endpoint (no rate limiting for legitimate tracking)`
			`location /t/ {`
			`proxy_pass http://backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# Cache control`
			`add_header Cache-Control "no-cache, no-store, must-revalidate";`
			`add_header Pragma "no-cache";`
			`add_header Expires "0";`
			`}`

			`# Frontend static files`
			`location / {`
			`proxy_pass http://frontend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection 'upgrade';`
			`proxy_set_header Host $host;`
			`proxy_cache_bypass $http_upgrade;`

			`# Cache static assets`
			`location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|woff\|woff2\|ttf\|eot)$ {`
			`proxy_pass http://frontend;`
			`expires 1y;`
			`add_header Cache-Control "public, immutable";`
			`}`
			`}`

			`# Logs`
			`access_log /var/log/nginx/oltalama-access.log combined;`
			`error_log /var/log/nginx/oltalama-error.log warn;`
			`}`