events { worker_connections 1024; } http { # Rate limiting limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; # Redirect HTTP → HTTPS server { listen 80; server_name samosachaat.art www.samosachaat.art; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name samosachaat.art www.samosachaat.art; ssl_certificate /etc/letsencrypt/live/samosachaat.art/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/samosachaat.art/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; client_max_body_size 10M; # Auth service — only direct auth endpoints location /api/auth/ { limit_req zone=api burst=10 nodelay; proxy_pass http://auth:8001/auth/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Grafana (optional) location /grafana/ { proxy_pass http://grafana:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Everything else → Frontend (Next.js) # Next.js handles its own /api/* routes (conversations, chat/stream) # and proxies to backend services internally via CHAT_API_URL env var location / { proxy_pass http://frontend:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # SSE streaming support proxy_buffering off; proxy_cache off; proxy_read_timeout 300s; proxy_set_header Connection ''; chunked_transfer_encoding off; # WebSocket support proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }