nginx updates

diff --git a/etc/nginx/conf.d/default.conf b/etc/nginx/conf.d/default.conf
index b020d1223cdf83746856592f6dbaee640691d7a3..172ffb00daa4c9ed4313cdf02f83864367ba6228 100644 (file)
--- a/etc/nginx/conf.d/default.conf
+++ b/etc/nginx/conf.d/default.conf
@@ -55,11 +55,21 @@ server {
 # UI, blog, favicon, default server
 server {
   server_name dev.nutra.tk;
-  #listen 80 default_server;
-  #listen [::]:80 ipv6only=on;
+
+  # HTTP/3 (QUIC) - UDP
+  listen 443 quic reuseport default_server;
+  listen [::]:443 quic reuseport default_server;
+
+  # HTTP/2 & 1.1 (Fallback) - TCP
   listen 443 ssl default_server;
+  listen [::]:443 ssl default_server;
+
+  # Enable protocols
   http2 on;
-  listen [::]:443 ssl ipv6only=on; # managed by Certbot
+  http3 on;
+
+  # Advertise HTTP/3 availability
+  add_header Alt-Svc 'h3=":443"; ma=86400';
 
   client_max_body_size 50m;
 

diff --git a/etc/nginx/conf.d/moms-website.conf b/etc/nginx/conf.d/moms-website.conf
index 983ef1c8d52c79e8dc7fdadbab4532eab61f23e6..c8b0419c4b26ead246f5011bcbf07baf90408645 100644 (file)
--- a/etc/nginx/conf.d/moms-website.conf
+++ b/etc/nginx/conf.d/moms-website.conf
@@ -1,10 +1,45 @@
 # Mom's Earthy Bites Kitchen storefront
+# HTTP to HTTPS redirect
 server {
+  listen 80;
+  listen [::]:80;
   server_name earthyenergy.mooo.com;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  # HTTP/3 (QUIC) - UDP
+  listen 443 quic;
+  listen [::]:443 quic;
+
+  # HTTP/2 & 1.1 (Fallback) - TCP
+  listen 443 ssl;
+  listen [::]:443 ssl;
+
+  # Enable protocols (New syntax for nginx 1.25+)
+  http2 on;
+  http3 on;
+
+  server_name earthyenergy.mooo.com;
+
+  # Advertise HTTP/3 availability to browsers
+  add_header Alt-Svc 'h3=":443"; ma=86400';
 
   root /var/www/moms-website;
   index index.html;
 
+  # HSTS
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+  # Client max body size
+  client_max_body_size 50m;
+
+  # SSL Configuration (Managed by Certbot on VPS)
+  ssl_certificate /etc/letsencrypt/live/earthyenergy.mooo.com/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/earthyenergy.mooo.com/privkey.pem; # managed by Certbot
+  include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
   # Allow certbot verification
   location /.well-known/acme-challenge/ {
     root /var/www/html;
@@ -14,6 +49,7 @@ server {
     try_files $uri $uri/ /index.html;
   }
 
+  # Medusa Store API
   location /store {
     proxy_pass http://localhost:9000;
     proxy_http_version 1.1;
@@ -51,24 +87,4 @@ server {
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_cache_bypass $http_upgrade;
   }
-
-    listen 443 ssl; # managed by Certbot
-    ssl_certificate /etc/letsencrypt/live/earthyenergy.mooo.com/fullchain.pem; # managed by Certbot
-    ssl_certificate_key /etc/letsencrypt/live/earthyenergy.mooo.com/privkey.pem; # managed by Certbot
-    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
 }
-
-server {
-    if ($host = earthyenergy.mooo.com) {
-        return 301 https://$host$request_uri;
-    } # managed by Certbot
-
-
-  listen 80;
-  server_name earthyenergy.mooo.com;
-    return 404; # managed by Certbot
-
-
-}
\ No newline at end of file