Tweaks, fixes, and launch prep

2026-02-06 19:09:48 -03:00
parent 22b21d254c
commit 2959360d65
34 changed files with 496 additions and 81 deletions
--- a/nginx/default.conf
+++ b/nginx/default.conf
@@ -1,12 +1,29 @@
 # Host-based routing: mifi.dev / www.mifi.dev → dev root, mifi.bio / www.mifi.bio → bio root
+# Security headers are handled upstream by Traefik
+
 server {
    listen 80 default_server;
    server_name mifi.dev www.mifi.dev;
    root /usr/share/nginx/html/dev;
    index index.html;
+
+    # Map canonical .well-known paths to variant-specific files
+    location = /.well-known/security.txt {
+        alias $document_root/.well-known/dev.security.txt;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /.well-known/appspecific/com.chrome.devtools.json {
+        alias $document_root/.well-known/dev.com.chrome.devtools.json;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
+    include /etc/nginx/snippets/cache-rules.conf;
+
    location / {
        try_files $uri $uri/ /index.html;
    }
+
+    error_page 404 /index.html;
 }

 server {
@@ -14,7 +31,22 @@ server {
    server_name mifi.bio www.mifi.bio;
    root /usr/share/nginx/html/bio;
    index index.html;
+
+    # Map canonical .well-known paths to variant-specific files
+    location = /.well-known/security.txt {
+        alias $document_root/.well-known/bio.security.txt;
+        add_header Cache-Control "public, max-age=86400";
+    }
+    location = /.well-known/appspecific/com.chrome.devtools.json {
+        alias $document_root/.well-known/bio.com.chrome.devtools.json;
+        add_header Cache-Control "public, max-age=86400";
+    }
+
+    include /etc/nginx/snippets/cache-rules.conf;
+
    location / {
        try_files $uri $uri/ /index.html;
    }
+
+    error_page 404 /index.html;
 }
--- a/nginx/snippets/cache-rules.conf
+++ b/nginx/snippets/cache-rules.conf
@@ -0,0 +1,64 @@
+# Cache and security rules for static site (included by both dev and bio server blocks)
+# Security headers are handled upstream by Traefik
+
+# HTML: no-cache (always revalidate)
+location ~ \.html$ {
+    add_header Cache-Control "no-cache, must-revalidate";
+    expires 0;
+}
+
+# CSS and JavaScript: long cache with immutable (hashed filenames)
+location ~* \.(css|js)$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    access_log off;
+}
+
+# Images: long cache (30 days)
+location ~* \.(jpg|jpeg|png|gif|webp|avif)$ {
+    add_header Cache-Control "public, max-age=2592000";
+    access_log off;
+}
+
+# SVG images: long cache (30 days)
+location ~* \.svg$ {
+    add_header Cache-Control "public, max-age=2592000";
+    add_header Content-Type image/svg+xml;
+    access_log off;
+}
+
+# Fonts: long cache with immutable
+location ~* \.(woff|woff2|ttf|otf|eot)$ {
+    add_header Cache-Control "public, max-age=31536000, immutable";
+    access_log off;
+}
+
+# Documents: medium cache (30 days)
+location ~* \.(pdf|doc|docx)$ {
+    add_header Cache-Control "public, max-age=2592000";
+    access_log off;
+}
+
+# robots.txt: short cache (1 day)
+location = /robots.txt {
+    add_header Cache-Control "public, max-age=86400";
+    access_log off;
+}
+
+# favicon: long cache (30 days)
+location = /favicon.svg {
+    add_header Cache-Control "public, max-age=2592000";
+    add_header Content-Type image/svg+xml;
+    access_log off;
+}
+
+# .well-known (security.txt, ACME, etc.)
+location ^~ /.well-known/ {
+    add_header Cache-Control "public, max-age=86400";
+}
+
+# Deny hidden files
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}