From c4a832897b763dbf3a6cf4abffd5dd374bbb3bb2 Mon Sep 17 00:00:00 2001
From: "m.imanpour" <mahdi.emanpour@gmail.com>
Date: Wed, 10 Dec 2025 01:38:10 +0330
Subject: [PATCH] turning https

---
 docker-compose.yml              |  8 +++-----
 nginx.conf                      |  5 +++++
 nginx_user_conf.d/hospital.conf | 13 ++++++++++++-
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 13ac7ec..2e3a588 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -6,7 +6,7 @@ services:
     expose:
       - "80"
     healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:80"]  # Use curl (now installed) for reliable check; -f fails on non-200
+      test: ["CMD", "curl", "-f", "http://localhost:80"]
       interval: 30s
       timeout: 10s
       retries: 3
@@ -19,16 +19,14 @@ services:
     container_name: hospital-nginx
     restart: unless-stopped
     ports:
-      - 4200:80
-      # Optional: Add for HTTPS - "4201:443" (or standard 443 if you change ports)
+      - 4200:443  # HTTPS on host port 4200 (access via https://hospital.networkwizard.xyz:4200)
     environment:
       - CERTBOT_EMAIL=test@test.com
       - ENVSUBST_TEMPLATE_SUFFIX=.tmpl
-      - CERTBOT_DISABLED=true  # Set to false to enable auto-SSL (requires domain pointing to port 80)
+      - CERTBOT_DISABLED=true
     volumes:
       - ./nginx_user_conf.d:/etc/nginx/user_conf.d:ro
       - letsencrypt:/etc/letsencrypt
-      # Adjust these cert paths to your server's actual location
       - /home/devroot/HIS/certs/fullchain.pem:/etc/nginx/ssl/origin_cert.pem:ro
       - /home/devroot/HIS/certs/prvkey.pem:/etc/nginx/ssl/origin_key.key:ro
     depends_on:
diff --git a/nginx.conf b/nginx.conf
index 42520a3..3f576f9 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -20,4 +20,9 @@ server {
     add_header X-Content-Type-Options nosniff;
     add_header X-Frame-Options DENY;
     add_header X-XSS-Protection "1; mode=block";
+}
+server {
+    listen 80;
+    server_name hospital.networkwizard.xyz;
+    return 301 https://$host$request_uri;
 }
\ No newline at end of file
diff --git a/nginx_user_conf.d/hospital.conf b/nginx_user_conf.d/hospital.conf
index e712afd..c2ca580 100644
--- a/nginx_user_conf.d/hospital.conf
+++ b/nginx_user_conf.d/hospital.conf
@@ -1,7 +1,18 @@
 server {
-    listen 80;
+    listen 443 ssl;
     server_name hospital.networkwizard.xyz;
 
+    # Reference your mounted custom certs
+    ssl_certificate /etc/nginx/ssl/origin_cert.pem;
+    ssl_certificate_key /etc/nginx/ssl/origin_key.key;
+
+    # Recommended SSL settings for security
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
     location / {
         proxy_pass http://hospital-app:80;
         proxy_set_header Host $host;