# Redirect all HTTP to HTTPS, except ACME challenges (certbot renewal) server { listen 80; server_name goodwalk.co.nz www.goodwalk.co.nz; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } server { listen 80; server_name clients.goodwalk.co.nz onboarding.goodwalk.co.nz; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://clients.goodwalk.co.nz$request_uri; } } server { listen 80; server_name cp.goodwalk.co.nz admin.goodwalk.co.nz; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://cp.goodwalk.co.nz$request_uri; } } server { listen 443 ssl; server_name goodwalk.co.nz www.goodwalk.co.nz; ssl_certificate /etc/letsencrypt/live/goodwalk.co.nz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/goodwalk.co.nz/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy strict-origin-when-cross-origin always; gzip on; gzip_types text/plain text/css application/javascript application/json image/svg+xml; location /api/submit { proxy_pass http://mail-api:8000/submit; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { proxy_pass http://app:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 443 ssl; server_name onboarding.goodwalk.co.nz; ssl_certificate /etc/letsencrypt/live/onboarding.goodwalk.co.nz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/onboarding.goodwalk.co.nz/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; return 301 https://clients.goodwalk.co.nz$request_uri; } server { listen 443 ssl; server_name clients.goodwalk.co.nz; ssl_certificate /etc/letsencrypt/live/clients.goodwalk.co.nz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/clients.goodwalk.co.nz/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy strict-origin-when-cross-origin always; gzip on; gzip_types text/plain text/css application/javascript application/json image/svg+xml; location /api/onboarding-submit { proxy_pass http://mail-api:8000/onboarding-submit; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /api/auth/ { rewrite ^/api/auth/(.*)$ /auth/$1 break; proxy_pass http://mail-api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { proxy_pass http://app:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } server { listen 443 ssl; server_name admin.goodwalk.co.nz; ssl_certificate /etc/letsencrypt/live/admin.goodwalk.co.nz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/admin.goodwalk.co.nz/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; return 301 https://cp.goodwalk.co.nz$request_uri; } server { listen 443 ssl; server_name cp.goodwalk.co.nz; ssl_certificate /etc/letsencrypt/live/cp.goodwalk.co.nz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/cp.goodwalk.co.nz/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header Referrer-Policy no-referrer always; add_header X-Robots-Tag "noindex, nofollow" always; gzip on; gzip_types text/plain text/css application/javascript application/json image/svg+xml; location /api/auth/ { rewrite ^/api/auth/(.*)$ /auth/$1 break; proxy_pass http://mail-api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /api/owner/ { rewrite ^/api/owner/(.*)$ /owner/$1 break; proxy_pass http://mail-api:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { proxy_pass http://app:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } }