From 44a1bc9e4ab6e1ed48a9add23db7d9a6b1455412 Mon Sep 17 00:00:00 2001
From: thomasabishop <thomasabishop@tuta.com>
Date: Thu, 10 Jul 2025 16:06:20 +0100
Subject: [PATCH] feat (infra): add nginx config for systemsobscure.blog

---
 proxy/nginx/conf.d/systemsobscure.conf | 63 ++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 proxy/nginx/conf.d/systemsobscure.conf

diff --git a/proxy/nginx/conf.d/systemsobscure.conf b/proxy/nginx/conf.d/systemsobscure.conf
new file mode 100644
index 0000000..35a94ee
--- /dev/null
+++ b/proxy/nginx/conf.d/systemsobscure.conf
@@ -0,0 +1,63 @@
+# HTTP to HTTPS redirect
+server {
+    listen 80;
+    server_name systemsobscure.blog www.systemsobscure.blog;
+    return 301 https://$server_name$request_uri;
+}
+
+# Main HTTPS server
+server {
+    listen 443 ssl http2;
+    server_name systemsobscure.blog www.systemsobscure.blog;
+    
+    # SSL certificate paths
+    ssl_certificate /etc/letsencrypt/live/systemsobscure.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/systemsobscure.net/privkey.pem;
+    
+    # SSL security hardening
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    
+    # Document root
+    root /var/www/systemsobscure.blog;
+    index index.html;
+    
+    # Enable gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/javascript
+        application/xml+rss
+        application/json;
+    
+    # Handle client-side routing (SPA fallback)
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+    
+    # Cache static assets for better performance
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
+    }
+    
+    # Block access to hidden files (.env, .git, etc)
+    location ~ /\. {
+        deny all;
+    }
+}