map $request_uri $masked_uri { default $request_uri; "~^(/bot)[^/]+(/.*)$" "$1[REDACTED]$2"; } log_format baton_secure '$remote_addr - $remote_user [$time_local] ' '"$request_method $masked_uri $server_protocol" ' '$status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; server { listen 80; server_name _; access_log /var/log/nginx/baton_access.log baton_secure; error_log /var/log/nginx/baton_error.log warn; add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options DENY always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always; # API + health + admin → backend location /api/ { proxy_pass http://backend:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 30s; proxy_send_timeout 30s; proxy_connect_timeout 5s; } location /health { proxy_pass http://backend:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /admin/users { proxy_pass http://backend:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 30s; } # Frontend static location / { root /usr/share/nginx/html; try_files $uri /index.html; expires 1h; add_header Cache-Control "public" always; add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options DENY always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'" always; } }