events { worker_connections 1024; } http { # Rate limiting limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; # Redirect HTTP → HTTPS server { listen 80; server_name samosachaat.art www.samosachaat.art; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name samosachaat.art www.samosachaat.art; ssl_certificate /etc/letsencrypt/live/samosachaat.art/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/samosachaat.art/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; client_max_body_size 10M; # Auth service location /api/auth/ { limit_req zone=api burst=10 nodelay; proxy_pass http://auth:8001/auth/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Chat API — SSE streaming needs special handling location /api/ { limit_req zone=api burst=20 nodelay; proxy_pass http://chat-api:8002/api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # SSE support proxy_buffering off; proxy_cache off; proxy_read_timeout 300s; proxy_set_header Connection ''; chunked_transfer_encoding off; } # Frontend (Next.js) location / { proxy_pass http://frontend:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support (Next.js HMR in dev, general) proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Grafana (optional, if monitoring is running) location /grafana/ { proxy_pass http://grafana:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } }