SmartTalker/nginx.conf at master · ali-ibnouf/SmartTalker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# =============================================================================
# SmartTalker — Nginx Reverse Proxy Configuration
# =============================================================================

upstream smarttalker {
    server core:8000;
}

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;

# ── HTTP → HTTPS redirect (production) / proxy pass (dev) ───────────────────
server {
    listen 80;
    server_name ${DOMAIN_NAME};

    # Let's Encrypt challenge
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # In dev mode (no SSL), proxy directly
    location / {
        proxy_pass http://smarttalker;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

# ── HTTPS server (production with SSL) ──────────────────────────────────────
# Uncomment this block after obtaining SSL certificates with certbot
#
# server {
#     listen 443 ssl http2;
#     server_name ${DOMAIN_NAME};
#
#     # SSL certificates (Let's Encrypt)
#     ssl_certificate     /etc/letsencrypt/live/${DOMAIN_NAME}/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/${DOMAIN_NAME}/privkey.pem;
#
#     # SSL settings
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers HIGH:!aNULL:!MD5;
#     ssl_prefer_server_ciphers on;
#     ssl_session_cache shared:SSL:10m;
#     ssl_session_timeout 10m;
#
#     # Security headers (defense in depth — also set at app level)
#     add_header X-Content-Type-Options nosniff always;
#     add_header X-Frame-Options DENY always;
#     add_header X-XSS-Protection "1; mode=block" always;
#     add_header Referrer-Policy strict-origin-when-cross-origin always;
#     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
#
#     # Max upload size
#     client_max_body_size 50M;
#
#     # Gzip compression
#     gzip on;
#     gzip_types text/plain application/json application/javascript text/css;
#     gzip_min_length 256;
#
#     # ── API endpoints ───────────────────────────────────────────────────
#     location /api/ {
#         limit_req zone=api burst=20 nodelay;
#         proxy_pass http://smarttalker;
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#     }
#
#     # ── API docs ────────────────────────────────────────────────────────
#     location /docs {
#         proxy_pass http://smarttalker;
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#     }
#
#     location /redoc {
#         proxy_pass http://smarttalker;
#         proxy_set_header Host $host;
#     }
#
#     location /openapi.json {
#         proxy_pass http://smarttalker;
#         proxy_set_header Host $host;
#     }
#
#     # ── WebSocket ───────────────────────────────────────────────────────
#     location /ws/ {
#         proxy_pass http://smarttalker;
#         proxy_http_version 1.1;
#         proxy_set_header Upgrade $http_upgrade;
#         proxy_set_header Connection "upgrade";
#         proxy_set_header Host $host;
#         proxy_set_header X-Real-IP $remote_addr;
#         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#         proxy_set_header X-Forwarded-Proto $scheme;
#         proxy_read_timeout 300s;
#         proxy_send_timeout 300s;
#     }
#
#     # ── Static files ────────────────────────────────────────────────────
#     location /files/ {
#         alias /app/files/;
#         expires 1h;
#         add_header Cache-Control "public, no-transform";
#     }
#
#     # ── Frontend ────────────────────────────────────────────────────────
#     location /app/ {
#         alias /app/frontend/;
#         try_files $uri $uri/ /app/index.html;
#         expires 1d;
#     }
#
#     # ── Metrics (internal only) ─────────────────────────────────────────
#     location /metrics {
#         proxy_pass http://smarttalker;
#         # Restrict to internal networks in production:
#         # allow 10.0.0.0/8;
#         # allow 172.16.0.0/12;
#         # deny all;
#     }
# }