Nginx and SSL¶

Nginx acts as the reverse proxy and TLS terminator for both the dashboard and the documentation site. The configuration file is at tradingview-strategy/nginx/nginx.conf.

Upstream Routing¶

Domain	Upstream	Notes
`ictedgefund.com`	`host.docker.internal:8000`	Dashboard running natively on the host
`docs.ictedgefund.com`	`docs` container	Resolved via Docker DNS on the `web` network

HTTP (Port 80)¶

The HTTP server block handles two tasks:

ACME challenges -- serves /.well-known/acme-challenge/ from the certbot-webroot volume so certbot can complete domain validation
HTTPS redirect -- all other requests return a 301 redirect to https://

HTTPS -- ictedgefund.com¶

Proxies all traffic to the dashboard server on the host machine:

location / {
    proxy_pass http://host.docker.internal:8000;
}

HTTPS -- docs.ictedgefund.com¶

Proxies all traffic to the docs container:

location / {
    proxy_pass http://docs;
}

SSL Configuration¶

Setting	Value
Protocols	TLSv1.2, TLSv1.3
Ciphers	ECDHE suites
Session cache	Shared, 10m
Certificate path	`/etc/letsencrypt/live/ictedgefund.com/fullchain.pem`
Key path	`/etc/letsencrypt/live/ictedgefund.com/privkey.pem`

Security Headers¶

All HTTPS responses include the following headers:

Header	Value
`Strict-Transport-Security`	`max-age=31536000; includeSubDomains`
`X-Frame-Options`	`DENY`
`X-Content-Type-Options`	`nosniff`
`X-XSS-Protection`	`1; mode=block`
`Referrer-Policy`	`strict-origin-when-cross-origin`

Rate Limiting¶

Requests are rate-limited at 10 requests per second per client IP, with a burst allowance of 20 requests. This protects the dashboard and API from excessive load.

limit_req_zone $binary_remote_addr zone=main:10m rate=10r/s;
limit_req zone=main burst=20 nodelay;