From 241d854fc1a4267ccc67571424453708ca7e1b20 Mon Sep 17 00:00:00 2001
From: Martin Varga <martin.varga@lutraconsulting.co.uk>
Date: Tue, 21 Jan 2025 08:10:56 +0100
Subject: [PATCH] Add an example config for production proxy with SSL
 termination

---
 ssl-proxy.conf | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 ssl-proxy.conf

diff --git a/ssl-proxy.conf b/ssl-proxy.conf
new file mode 100644
index 00000000..6359a90c
--- /dev/null
+++ b/ssl-proxy.conf
@@ -0,0 +1,74 @@
+
+    server {
+        listen       80;
+        server_name merginmaps.company.com;  # FIXME
+
+        if ($scheme != "https") {
+                return 301 https://$host$request_uri;
+        }
+    }
+
+    upstream app_server {
+        # route to the application proxy
+        server 127.0.0.1:8080 fail_timeout=0;
+    }
+
+    server {
+        listen              443 ssl;
+        server_name         merginmaps.company.com; # FIXME
+        client_max_body_size 4G;
+
+        ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
+        ssl_certificate     /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
+
+        # Don't show version information
+        server_tokens off;
+
+        # Enable gzip compression
+        gzip on;
+        gzip_min_length 10240;
+        gzip_comp_level 1;
+        gzip_vary on;
+        gzip_proxied expired no-cache no-store private auth;
+        gzip_types
+            text/css
+            text/javascript
+            text/xml
+            text/plain
+            text/x-component
+            application/javascript
+            application/x-javascript
+            application/json
+            application/xml
+            application/rss+xml
+            application/atom+xml
+            font/truetype
+            font/opentype
+            application/vnd.ms-fontobject
+            image/svg+xml;
+
+        # Prevent crawlers from indexing and following links for all content served from the mergin app
+        add_header X-Robots-Tag "none";
+
+        # Protect against clickjacking iframe
+        add_header Content-Security-Policy "frame-ancestors 'self';" always;
+
+        # Add a HSTS policy to prevent plain http from browser
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+        # Set cookies security flags
+        proxy_cookie_flags ~ secure httponly samesite=strict;
+
+        location / {
+            root /var/www/html;
+
+            # The lines below were copied from application proxy
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Host $http_host;
+            # we don't want nginx trying to do something clever with
+            # redirects, we set the Host: header above already.
+            proxy_redirect off;
+            proxy_pass http://app_server;
+        }
+    }