From 98e688444d7a370b84cd53f4e0df58ed267602ef Mon Sep 17 00:00:00 2001
From: ShaneMPutnam <sputnam@Dewberry.com>
Date: Sun, 21 Sep 2025 20:02:06 +0000
Subject: [PATCH 1/4] Add env to compose

---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index e27a8ed..a0dc198 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -5,6 +5,8 @@ services:
     image: ${ECR_AWS_ACCOUNT_ID}.dkr.ecr.${ECR_AWS_REGION}.amazonaws.com/${ECR_CLIENT_IMAGE_TAG}
     networks:
       - hydroshift
+    env_file:
+      - .env
     restart: unless-stopped
     mem_limit: 4GB
     mem_reservation: 2GB

From 8ddc07671275d1202884733ffd130a6a862ff20c Mon Sep 17 00:00:00 2001
From: ShaneMPutnam <sputnam@Dewberry.com>
Date: Sun, 21 Sep 2025 20:08:48 +0000
Subject: [PATCH 2/4] Add Nginx and configure HTTP headers

---
 docker-compose.yml | 20 ++++++++++++++++----
 nginx/default.conf | 25 +++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 4 deletions(-)
 create mode 100644 nginx/default.conf

diff --git a/docker-compose.yml b/docker-compose.yml
index a0dc198..ca9e244 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,12 +11,24 @@ services:
     mem_limit: 4GB
     mem_reservation: 2GB
     stdin_open: true
+
+  nginx:
+    container_name: nginx
+    init: true
+    image: nginx:stable-alpine
+    networks:
+      - hydroshift
+    volumes:
+      - ./nginx/default.conf:/etc/nginx/conf.d/default.conf
+    restart: unless-stopped
+    mem_limit: 0.5GB
+    mem_reservation: 0.25GB
     labels:
       - 'traefik.enable=true'
-      - 'traefik.http.routers.client.rule=Host(`${PROD_APP_HOST}`)'
-      - 'traefik.http.routers.client.tls=true'
-      - 'traefik.http.routers.client.tls.certresolver=letsencrypt'
-      - 'traefik.docker.network=hydroshift_hydroshift'
+      - 'traefik.http.routers.nginx.rule=Host(`${PROD_APP_HOST}`)'
+      - 'traefik.http.routers.nginx.tls=true'
+      - 'traefik.http.routers.nginx.tls.certresolver=lets-encrypt'
+      - 'traefik.docker.network=sd-viewer_sd-viewer'
       - 'traefik.http.routers.static.middlewares=secHeaders@file'
 networks:
   hydroshift:
diff --git a/nginx/default.conf b/nginx/default.conf
new file mode 100644
index 0000000..ff6fc7e
--- /dev/null
+++ b/nginx/default.conf
@@ -0,0 +1,25 @@
+server {
+    listen 80;
+    server_name hydroshift.dewberryanalytics.com www.hydroshift.dewberryanalytics.com;
+    index index.php index.html index.htm;
+    location / {
+        proxy_pass http://client:80/;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+        add_header Content-Security-Policy "default-src * data: blob: 'unsafe-eval' 'unsafe-inline'" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        add_header Permissions-Policy "autoplay=(), geolocation=(), camera=(), fullscreen=()";
+    }
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+location = /50x.html {
+        root /usr/share/nginx/html;
+    }
+}
\ No newline at end of file

From 3450f0f9e92c6f0b12dac9f4206a1dbb2bdf80b2 Mon Sep 17 00:00:00 2001
From: ShaneMPutnam <sputnam@Dewberry.com>
Date: Sun, 21 Sep 2025 20:09:58 +0000
Subject: [PATCH 3/4] Update network name

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index ca9e244..391e9ce 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,7 +28,7 @@ services:
       - 'traefik.http.routers.nginx.rule=Host(`${PROD_APP_HOST}`)'
       - 'traefik.http.routers.nginx.tls=true'
       - 'traefik.http.routers.nginx.tls.certresolver=lets-encrypt'
-      - 'traefik.docker.network=sd-viewer_sd-viewer'
+      - 'traefik.docker.network=hydroshift_hydroshift'
       - 'traefik.http.routers.static.middlewares=secHeaders@file'
 networks:
   hydroshift:

From f65c6dc566417260ba7363c7c9e45928084d18ab Mon Sep 17 00:00:00 2001
From: ShaneMPutnam <sputnam@Dewberry.com>
Date: Sun, 21 Sep 2025 20:10:47 +0000
Subject: [PATCH 4/4] Revert name of cert resolver

---
 docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 391e9ce..5ad82bc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,7 +27,7 @@ services:
       - 'traefik.enable=true'
       - 'traefik.http.routers.nginx.rule=Host(`${PROD_APP_HOST}`)'
       - 'traefik.http.routers.nginx.tls=true'
-      - 'traefik.http.routers.nginx.tls.certresolver=lets-encrypt'
+      - 'traefik.http.routers.nginx.tls.certresolver=letsencrypt'
       - 'traefik.docker.network=hydroshift_hydroshift'
       - 'traefik.http.routers.static.middlewares=secHeaders@file'
 networks: