server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /usr/share/nginx/html; index index.html; # Gzip gzip on; gzip_vary on; gzip_min_length 1024; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml application/xml+rss application/manifest+json image/svg+xml; # Security headers add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Healthcheck endpoint for Coolify / Docker location = /healthz { access_log off; add_header Content-Type text/plain; return 200 "ok\n"; } # Service worker must never be cached (PWA updates rely on this) location = /sw.js { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; expires 0; try_files $uri =404; } location = /registerSW.js { add_header Cache-Control "no-cache, no-store, must-revalidate"; expires 0; try_files $uri =404; } location = /manifest.webmanifest { add_header Cache-Control "no-cache"; types { } default_type "application/manifest+json"; try_files $uri =404; } # Hashed build assets — safe to cache for a year location /assets/ { access_log off; add_header Cache-Control "public, max-age=31536000, immutable"; try_files $uri =404; } # Static images / icons — moderate cache location ~* \.(?:png|jpg|jpeg|gif|ico|svg|webp|avif|woff2?)$ { access_log off; add_header Cache-Control "public, max-age=604800"; try_files $uri =404; } # SPA fallback — every other route serves index.html (uncached) location / { add_header Cache-Control "no-cache"; try_files $uri $uri/ /index.html; } }