bztmon-site/nginx/default.conf

# nginx server config for the static site, baked into the image.
# Base image: nginxinc/nginx-unprivileged (runs as uid 101, listens on 8080).
# Read-only rootfs in k8s: /tmp and /var/cache/nginx are emptyDir mounts.

server {
    listen       8080;
    server_name  _;
    root         /usr/share/nginx/html;
    index        index.html;

    # Don't leak the nginx version.
    server_tokens off;

    # Security headers (CSP, nosniff, frame, etc.) — applied site-wide.
    # Re-included in each location below that sets its own add_header, because
    # a location-level add_header drops all inherited ones.
    include /etc/nginx/security-headers.conf;

    # ---- Caching -------------------------------------------------------------
    # Astro emits content-hashed assets under /_astro/ — cache them hard.
    location /_astro/ {
        include /etc/nginx/security-headers.conf;
        expires 1y;
        add_header Cache-Control "public, immutable" always;
    }

    # Non-fingerprinted top-level script — revalidate so updates propagate.
    location = /site.js {
        include /etc/nginx/security-headers.conf;
        add_header Cache-Control "no-cache" always;
    }

    # HTML is revalidated so deploys show up immediately.
    location ~* \.html$ {
        include /etc/nginx/security-headers.conf;
        add_header Cache-Control "no-cache" always;
    }

    # ---- Routing -------------------------------------------------------------
    location / {
        try_files $uri $uri/ $uri.html =404;
    }

    error_page 404 /404.html;
    location = /404.html {
        internal;
    }

    # Compression
    gzip on;
    gzip_comp_level 6;
    gzip_min_length 1024;
    gzip_types text/plain text/css application/javascript application/json image/svg+xml application/xml application/rss+xml;
    gzip_vary on;
}