legacy-site/documentation/configs/nginx-ssl.conf

# Nginx configuration for Church Music Database with HTTPS/TLS

# HTTP -> HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name houseofprayer.ddns.net;
    
    # Redirect all HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

# HTTPS Configuration
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name houseofprayer.ddns.net;
    
    # SSL Certificate Configuration (Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/houseofprayer.ddns.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/houseofprayer.ddns.net/privkey.pem;
    
    # SSL Security Settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    # HSTS (uncomment after testing)
    # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    
    # Security Headers
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Frontend (React App) - Serve static build files
    root /media/pts/Website/Church_HOP_MusicData/frontend/build;
    index index.html;
    
    location / {
        try_files $uri $uri/ /index.html;
    }
    
    # Backend API
    location /api/ {
        proxy_pass http://localhost:8080/api/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # CORS Headers (handled by Flask but can add here as backup)
        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
        add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
        
        # Request size limits
        client_max_body_size 16M;
    }
    
    # Static files with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}
Initial commit - Church Music Database 2026-01-27 18:04:50 -06:00			`# Nginx configuration for Church Music Database with HTTPS/TLS`

			`# HTTP -> HTTPS redirect`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name houseofprayer.ddns.net;`

			`# Redirect all HTTP to HTTPS`
			`return 301 https://$server_name$request_uri;`
			`}`

			`# HTTPS Configuration`
			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name houseofprayer.ddns.net;`

			`# SSL Certificate Configuration (Let's Encrypt)`
			`ssl_certificate /etc/letsencrypt/live/houseofprayer.ddns.net/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/houseofprayer.ddns.net/privkey.pem;`

			`# SSL Security Settings`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';`
			`ssl_prefer_server_ciphers off;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 10m;`

			`# HSTS (uncomment after testing)`
			`# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`

			`# Security Headers`
			`add_header X-Frame-Options "DENY" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`

			`# Frontend (React App) - Serve static build files`
			`root /media/pts/Website/Church_HOP_MusicData/frontend/build;`
			`index index.html;`

			`location / {`
			`try_files $uri $uri/ /index.html;`
			`}`

			`# Backend API`
			`location /api/ {`
			`proxy_pass http://localhost:8080/api/;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# CORS Headers (handled by Flask but can add here as backup)`
			`add_header 'Access-Control-Allow-Origin' '*' always;`
			`add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;`
			`add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;`

			`# Request size limits`
			`client_max_body_size 16M;`
			`}`

			`# Static files with caching`
			`location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|woff\|woff2\|ttf\|eot)$ {`
			`expires 1y;`
			`add_header Cache-Control "public, immutable";`
			`}`
			`}`