# ============================================================ # Nginx — VirtualHost production pour Univers Group # Chemin : /etc/nginx/sites-available/univers-group.sn # Activer : sudo ln -s /etc/nginx/sites-available/univers-group.sn \ # /etc/nginx/sites-enabled/ # Recharger : sudo nginx -t && sudo systemctl reload nginx # ============================================================ # Redirection HTTP → HTTPS server { listen 80; listen [::]:80; server_name univers-group.sn www.univers-group.sn; # Let's Encrypt challenge location /.well-known/acme-challenge/ { root /var/www/html; } location / { return 301 https://$host$request_uri; } } # Serveur principal HTTPS server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name univers-group.sn www.univers-group.sn; # ── SSL (Certbot / Let's Encrypt) ─────────────────────── ssl_certificate /etc/letsencrypt/live/univers-group.sn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/univers-group.sn/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # HSTS (activer une fois SSL validé) add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # ── Racine publique ────────────────────────────────────── root /var/www/univers-group/public; index index.php; # ── Sécurité ──────────────────────────────────────────── add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Masquer la version Nginx server_tokens off; # ── Taille maximale des uploads ────────────────────────── client_max_body_size 50M; # ── Logs ──────────────────────────────────────────────── access_log /var/log/nginx/univers-group.access.log; error_log /var/log/nginx/univers-group.error.log warn; # ── Bloquer l'accès aux fichiers sensibles ─────────────── location ~ /\.(env|htaccess|git|svn|DS_Store) { deny all; return 404; } # ── Assets statiques (cache agressif) ─────────────────── location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|otf|eot|webp|avif)$ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; try_files $uri =404; } # ── Build Vite (cache immutable par hash de fichier) ──── location /build/ { expires 1y; add_header Cache-Control "public, immutable"; access_log off; try_files $uri =404; } # ── Storage public ─────────────────────────────────────── location /storage/ { try_files $uri =404; } # ── Dossier install : bloquer en production ────────────── location /install { deny all; return 404; } # ── Route principale : SPA + Laravel API ──────────────── # Toutes les requêtes non-fichier passent par index.php location / { try_files $uri $uri/ /index.php?$query_string; } # ── PHP-FPM ───────────────────────────────────────────── location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/run/php/php8.2-fpm.sock; # Adapter selon la version fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; # Timeouts pour les opérations longues (imports, exports) fastcgi_read_timeout 300; fastcgi_send_timeout 300; fastcgi_connect_timeout 60; # Paramètres recommandés Laravel fastcgi_param HTTP_PROXY ""; include fastcgi_params; } # ── Gzip ──────────────────────────────────────────────── gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_types application/javascript application/json application/xml text/css text/javascript text/plain text/xml image/svg+xml font/woff2; gzip_vary on; }