infrastructure/roles/rebuilderd/templates/nginx.d.conf.j2

server {
    listen       80;
    listen       [::]:80;
    server_name  {{ rebuilderd_domain }};

    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ rebuilderd_domain }}/error.log;

    include snippets/letsencrypt.conf;

    location / {
        access_log off;
        return 301 https://$server_name$request_uri;
    }
}

server {
    listen       443 ssl;
    listen       [::]:443 ssl;
    http2        on;
    server_name  {{ rebuilderd_domain }};

    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log reduced;
    access_log   /var/log/nginx/{{ rebuilderd_domain }}/access.log.json json_reduced;
    error_log    /var/log/nginx/{{ rebuilderd_domain }}/error.log;

    ssl_certificate      /etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/{{ rebuilderd_domain }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ rebuilderd_domain }}/chain.pem;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;
    add_header Referrer-Policy "same-origin";
    add_header Feature-Policy "geolocation 'none' ;midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; fullscreen 'none'; payment 'none';";
    add_header Content-Security-Policy "default-src 'self';";
    add_header X-Content-Type-Options "nosniff" always;

    # Apply HSTS header again, since adding a header removes previous headers
    add_header Strict-Transport-Security $hsts_header;

    root {{ rebuilder_website_loc }};

    location ~* (css|js|svg)$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
    }

    location /api/ {
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_pass http://127.0.0.1:8484;
    }

    location = /api/v0/build/report {
        client_max_body_size 200M;
        proxy_set_header    X-Real-IP          $remote_addr;
        proxy_pass http://127.0.0.1:8484;
    }
}