--- /dev/null
+# API
+server {
+ # Service: API | https://api.dev.nutra.tk
+ server_name api-dev.nutra.tk api.dev.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ # HSTS
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+ # Sanic
+ location / {
+ proxy_pass http://127.0.0.1:20000; # API server
+ # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+ proxy_http_version 1.1;
+ proxy_request_buffering off;
+ proxy_buffering off;
+ # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+ # and stored in: /etc/nginx/conf.d/secrets.conf
+ proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\"";
+ # Allow websockets and keep-alive (avoid connection: close)
+ proxy_set_header connection "upgrade";
+ proxy_set_header upgrade $http_upgrade;
+ }
+
+ # default favicon
+ location /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+}
+
+
+# Store Front (MedusaJS)
+server {
+ # Service: Store | https://store.nutra.tk
+ server_name store.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ location / {
+ proxy_pass http://localhost:8000;
+ }
+}
+
+# Store [Admin UI] (MedusaJS)
+server {
+ # Service: Store Admin | https://store-admin-8b56411b.nutra.tk
+ server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ location / {
+ proxy_pass http://localhost:9000;
+ }
+}
+
+
+# UI, blog, favicon, default server
+server {
+ server_name dev.nutra.tk;
+
+ # HTTP/3 (QUIC) - UDP
+ listen 443 quic reuseport default_server;
+ listen [::]:443 quic reuseport default_server;
+
+ # HTTP/2 & 1.1 (Fallback) - TCP
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ # Enable protocols
+ http2 on;
+ http3 on;
+
+ # Advertise HTTP/3 availability
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+ client_max_body_size 50m;
+
+ # HSTS
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+ # OCSP stapling (NOTE: Responders disabled by letsencrypt as of Q3 2025)
+ #ssl_stapling on;
+ #ssl_stapling_verify on;
+
+ # Services Map (Homepage)
+ location / {
+ alias /var/www/homepage.html;
+ default_type text/html;
+ }
+
+# # Blog / Sphinx
+# location /blog {
+# alias /var/www/blog;
+# index index.html;
+# }
+
+ # default favicon
+ location = /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+
+ # Other
+ location ~ /.well-known {
+ allow all;
+ }
+
+ # CV paths
+ location ~ ^/cv/(~?swe|swe~/resume\.pdf)$ {
+ alias /var/www/cv/swe/resume.pdf;
+ default_type application/pdf;
+ }
+ location ~ ^/resume(\.pdf|/swe\.pdf)$ {
+ alias /var/www/cv/swe/resume.pdf;
+ default_type application/pdf;
+ }
+
+ # public folder
+ location /public {
+ root /var/www;
+ autoindex on;
+ #index index.html index.htm;
+ #try_files $uri $uri/ /index.html =404;
+ }
+
+ # HTTPS / SSL
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Redirect www.dev.nutra.tk -> dev.nutra.tk
+server {
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ server_name www.dev.nutra.tk;
+
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+ return 301 https://dev.nutra.tk$request_uri;
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Listen on 443 with matrix / synapse
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+server {
+ listen 443 ssl;
+ listen 443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ server_name matrix.nutra.tk chat.nutra.tk;
+
+ location / {
+ # Service: Matrix Chat | https://chat.nutra.tk
+ proxy_pass http://127.0.0.1:8008;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ location /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+}
+
+# Open matrix chat on 8448
+server {
+ listen 8448 ssl default_server;
+ listen [::]:8448 ssl default_server;
+ server_name dev.nutra.tk;
+
+ location / {
+ proxy_pass http://127.0.0.1:8008;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ # HTTPS / SSL
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
--- /dev/null
+# API
+server {
+ # Service: API | https://api.dev.nutra.tk
+ server_name api-dev.nutra.tk api.dev.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ # HSTS
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+ # Sanic
+ location / {
+ proxy_pass http://127.0.0.1:20000; # API server
+ # Allow fast streaming HTTP/1.1 pipes (keep-alive, unbuffered)
+ proxy_http_version 1.1;
+ proxy_request_buffering off;
+ proxy_buffering off;
+ # Proxy forwarding (password configured in app.config.FORWARDED_SECRET)
+ # and stored in: /etc/nginx/conf.d/secrets.conf
+ proxy_set_header forwarded "$proxy_forwarded;secret=\"$proxy_secret_key\"";
+ # Allow websockets and keep-alive (avoid connection: close)
+ proxy_set_header connection "upgrade";
+ proxy_set_header upgrade $http_upgrade;
+ }
+
+ # default favicon
+ location /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+}
+
+
+# Store Front (MedusaJS)
+server {
+ # Service: Store | https://store.nutra.tk
+ server_name store.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ location / {
+ proxy_pass http://localhost:8000;
+ }
+}
+
+# Store [Admin UI] (MedusaJS)
+server {
+ # Service: Store Admin | https://store-admin-8b56411b.nutra.tk
+ server_name store-api.nutra.tk store-admin-8b56411b.nutra.tk;
+ #listen 80;
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ location / {
+ proxy_pass http://localhost:9000;
+ }
+}
+
+
+# UI, blog, favicon, default server
+server {
+ server_name dev.nutra.tk;
+
+ # HTTP/3 (QUIC) - UDP
+ listen 443 quic reuseport default_server;
+ listen [::]:443 quic reuseport default_server;
+
+ # HTTP/2 & 1.1 (Fallback) - TCP
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+
+ # Enable protocols
+ http2 on;
+ http3 on;
+
+ # Advertise HTTP/3 availability
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+
+ client_max_body_size 50m;
+
+ # HSTS
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+ # OCSP stapling (NOTE: Responders disabled by letsencrypt as of Q3 2025)
+ #ssl_stapling on;
+ #ssl_stapling_verify on;
+
+ # Services Map (Homepage)
+ location / {
+ alias /var/www/homepage.html;
+ default_type text/html;
+ }
+
+# # Blog / Sphinx
+# location /blog {
+# alias /var/www/blog;
+# index index.html;
+# }
+
+ # default favicon
+ location = /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+
+ # Other
+ location ~ /.well-known {
+ allow all;
+ }
+
+ # CV paths
+ location ~ ^/cv/(~?swe|swe~/resume\.pdf)$ {
+ alias /var/www/cv/swe/resume.pdf;
+ default_type application/pdf;
+ }
+ location ~ ^/resume(\.pdf|/swe\.pdf)$ {
+ alias /var/www/cv/swe/resume.pdf;
+ default_type application/pdf;
+ }
+
+ # public folder
+ location /public {
+ root /var/www;
+ autoindex on;
+ #index index.html index.htm;
+ #try_files $uri $uri/ /index.html =404;
+ }
+
+ # HTTPS / SSL
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Redirect www.dev.nutra.tk -> dev.nutra.tk
+server {
+ listen 443 ssl;
+ listen 443 quic;
+ listen [::]:443 quic;
+ http2 on;
+ http3 on;
+ server_name www.dev.nutra.tk;
+
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem;
+ include /etc/letsencrypt/options-ssl-nginx.conf;
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+
+ return 301 https://dev.nutra.tk$request_uri;
+}
+
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Listen on 443 with matrix / synapse
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+server {
+ listen 443 ssl;
+ listen 443 quic;
+ http2 on;
+ http3 on;
+ add_header Alt-Svc 'h3=":443"; ma=86400' always;
+ server_name matrix.nutra.tk chat.nutra.tk;
+
+ location / {
+ # Service: Matrix Chat | https://chat.nutra.tk
+ proxy_pass http://127.0.0.1:8008;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ location /favicon.ico {
+ alias /var/www/favicon.gif;
+ }
+}
+
+# Open matrix chat on 8448
+server {
+ listen 8448 ssl default_server;
+ listen [::]:8448 ssl default_server;
+ server_name dev.nutra.tk;
+
+ location / {
+ proxy_pass http://127.0.0.1:8008;
+ proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ }
+
+ # HTTPS / SSL
+ ssl_certificate /etc/letsencrypt/live/dev.nutra.tk/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/dev.nutra.tk/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
projects / nutratech / vps-root.git / commitdiff