upstream api { server backend:4000; } server { listen 80; large_client_header_buffers 8 128k; client_header_buffer_size 128k; location ~ ^/(api|secret-scanning/webhooks) { proxy_set_header X-Real-RIP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://api; proxy_redirect off; proxy_cookie_path / "/; SameSite=strict"; } location /runtime-ui-env.js { proxy_set_header X-Real-RIP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://api; proxy_redirect off; proxy_cookie_path / "/; HttpOnly; SameSite=strict"; } location /api/v3/migrate { client_max_body_size 25M; proxy_set_header X-Real-RIP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://api; proxy_redirect off; proxy_cookie_path / "/; HttpOnly; SameSite=strict"; } location ~ /\.well-known { proxy_set_header X-Real-RIP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert; # proxy_set_header X-SSL-Client-Cert $http_x_ssl_client_cert; # proxy_pass_request_headers on; proxy_pass http://api; proxy_redirect off; # proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; proxy_cookie_path / "/; HttpOnly; SameSite=strict"; } location / { include /etc/nginx/mime.types; proxy_set_header X-Real-RIP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://frontend:3000; proxy_redirect off; } }