map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream websocket { server espocrm.container.ip:8080; } server { listen 8080; location / { proxy_pass http://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; } } server { listen 80; server_name espocrm.mydns.com; set $upstream espocrm.container.ip; server_tokens off; location / { server_tokens off; proxy_hide_header X-Powered-By; proxy_hide_header access-control-allow-methods; proxy_pass_header Authorization; proxy_pass http://$upstream; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Frame-Options deny; proxy_set_header X-XSS-Protection "1; mode=block"; proxy_set_header X-Frame-Options "SAMEORIGIN always"; proxy_set_header X-Content-Type-Options "nosniff"; proxy_set_header Referrer-Policy "no-referrer-when-downgrade"; proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; proxy_set_header Content-Security-Policy "frame-ancestors http://*.mydns.com"; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; #proxy_intercept_errors on; #include /etc/nginx/error_page.conf; # allow localIP/24; only allow local IP # include /etc/nginx/ip4-belgium.conf; only allow belgium IP # deny all; } location /wss { proxy_pass http://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 12h; } location /ws { proxy_pass http://websocket; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 12h; } location ^~ /data/ { deny all; } location ^~ /install/ { deny all; } location ^~ /application/ { deny all; } location ^~ /custom/ { deny all; } location ^~ /favicon.ico { access_log off; log_not_found off; } location ^~ /robots.txt { access_log off; log_not_found off; } }