events { worker_connections 1024; } http { proxy_buffer_size 16k; proxy_buffers 4 16k; proxy_busy_buffers_size 16k; large_client_header_buffers 4 16k; upstream webapi { server webapi:8080; } upstream webui { server webui:3000; } upstream seq { server seq:80; } server { listen 80; server_name impr.ink; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name impr.ink; ssl_certificate /etc/ssl/certs/impr.ink.crt; ssl_certificate_key /etc/ssl/private/impr.ink.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; location /api/ { proxy_pass http://webapi/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /seq { proxy_pass http://seq; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Prefix /seq; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; rewrite ^/seq$ /seq/ redirect; rewrite ^/seq/(.*)$ /$1 break; } location / { proxy_pass http://webui/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } }