baton/nginx/docker.conf

map $request_uri $masked_uri {
    default                    $request_uri;
    "~^(/bot)[^/]+(/.*)$"     "$1[REDACTED]$2";
}

log_format baton_secure '$remote_addr - $remote_user [$time_local] '
                        '"$request_method $masked_uri $server_protocol" '
                        '$status $body_bytes_sent '
                        '"$http_referer" "$http_user_agent"';

server {
    listen 80;
    server_name _;

    access_log /var/log/nginx/baton_access.log baton_secure;
    error_log  /var/log/nginx/baton_error.log warn;

    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options DENY always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;

    # API + health + admin → backend
    location /api/ {
        proxy_pass         http://backend:8000;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout  30s;
        proxy_send_timeout  30s;
        proxy_connect_timeout 5s;
    }

    location /health {
        proxy_pass         http://backend:8000;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    location /admin/users {
        proxy_pass         http://backend:8000;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout  30s;
    }

    # Frontend static
    location / {
        root       /usr/share/nginx/html;
        try_files  $uri /index.html;
        expires    1h;
        add_header Cache-Control "public" always;
        add_header X-Content-Type-Options nosniff always;
        add_header X-Frame-Options DENY always;
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;
    }
}
infra: add Docker setup for portable deployment Dockerfile (Python 3.12 slim) + docker-compose (backend + nginx). Backend on port 8000 inside container, nginx proxies API and serves frontend static. SQLite persisted in named volume. Nginx listens on 127.0.0.1:8080 — external SSL handled by host reverse proxy. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-21 16:23:08 +02:00			`map $request_uri $masked_uri {`
			`default $request_uri;`
			`"~^(/bot)[^/]+(/.*)$" "$1[REDACTED]$2";`
			`}`

			`log_format baton_secure '$remote_addr - $remote_user [$time_local] '`
			`'"$request_method $masked_uri $server_protocol" '`
			`'$status $body_bytes_sent '`
			`'"$http_referer" "$http_user_agent"';`

			`server {`
			`listen 80;`
			`server_name _;`

			`access_log /var/log/nginx/baton_access.log baton_secure;`
			`error_log /var/log/nginx/baton_error.log warn;`

			`add_header X-Content-Type-Options nosniff always;`
			`add_header X-Frame-Options DENY always;`
			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;`

			`# API + health + admin → backend`
			`location /api/ {`
			`proxy_pass http://backend:8000;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_read_timeout 30s;`
			`proxy_send_timeout 30s;`
			`proxy_connect_timeout 5s;`
			`}`

			`location /health {`
			`proxy_pass http://backend:8000;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`}`

			`location /admin/users {`
			`proxy_pass http://backend:8000;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_read_timeout 30s;`
			`}`

			`# Frontend static`
			`location / {`
			`root /usr/share/nginx/html;`
			`try_files $uri /index.html;`
			`expires 1h;`
			`add_header Cache-Control "public" always;`
			`add_header X-Content-Type-Options nosniff always;`
			`add_header X-Frame-Options DENY always;`
			`add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always;`
			`}`
			`}`