feat: implement SSL support with Let's Encrypt and update Nginx configuration

nginx/nginx.conf

@@ -6,12 +6,35 @@ upstream frontend {
     server frontend:5173;
 }
 
+# ── HTTP: ACME challenge + redirect to HTTPS ──
 server {
     listen 80;
-    server_name localhost 127.0.0.1 178.104.57.123 dociva.io www.dociva.io;
+    server_name dociva.io www.dociva.io;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# ── HTTPS ──
+server {
+    listen 443 ssl;
+    server_name dociva.io www.dociva.io;
     client_max_body_size 100M;
 
+    # SSL certificates (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/dociva.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dociva.io/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+
     # Security headers
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
     add_header X-Frame-Options "SAMEORIGIN" always;
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
@@ -33,7 +56,7 @@ server {
         proxy_connect_timeout 60s;
     }
 
-    # Frontend (Vite dev server in dev, static in prod)
+    # Frontend (Vite dev server)
     location / {
         proxy_pass http://frontend;
         proxy_set_header Host $host;