server { listen 80; listen [::]:80; server_name cinny.domain.tld; location / { return 301 https://$host$request_uri; } location /.well-known/acme-challenge/ { alias /var/lib/letsencrypt/.well-known/acme-challenge/; } } server { listen 443 ssl http2; listen [::]:443 ssl; server_name cinny.domain.tld; # Security headers (generic; add a Content-Security-Policy suited to your # homeserver + any embedded services). NOTE: nginx does not inherit # server-level add_header into a location that sets its own add_header. add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy strict-origin-when-cross-origin always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header Permissions-Policy "accelerometer=(), autoplay=(self), camera=(self), display-capture=(self), encrypted-media=(self), fullscreen=(self), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(self), midi=(), payment=(), usb=()" always; location / { root /opt/cinny/dist/; rewrite ^/config.json$ /config.json break; rewrite ^/manifest.json$ /manifest.json break; rewrite ^/sw.js$ /sw.js break; rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break; rewrite ^/public/(.*)$ /public/$1 break; rewrite ^/assets/(.*)$ /assets/$1 break; rewrite ^(.+)$ /index.html break; } }