server.conf

http {
  map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
  }

  upstream websocket {
    server couloirs:4000;
  }

  server {
    listen 80;
    server_name api.sundaypeak.com;

    location ~ /.well-known/acme-challenge {
      allow all;
      root /var/www/html;
    }

    location / {
      rewrite ^ https://$host$request_uri? permanent;
    }
  }

  server {
    client_max_body_size 15M;

    listen 443 ssl http2;
    server_name api.sundaypeak.com;

    ssl_certificate /etc/letsencrypt/live/api.sundaypeak.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.sundaypeak.com/privkey.pem;

    ssl_protocols TLSv1.3;

    location /ws {
      try_files $uri @couloirs;
    }

    location / {                       
      try_files $uri @rivers;
    }

    location @couloirs {
      proxy_pass http://websocket;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "Upgrade";
      proxy_set_header Host $host;
    }

    location @rivers {
      proxy_pass http://rivers:5000;
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      add_header Referrer-Policy "no-referrer-when-downgrade" always;
      add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
    }

    root /var/www/html;
    index index.html;
  }
}

events { }