events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; client_max_body_size 250M; # Map uploads up to 200MB + overhead # Proxy buffer sizing — prevents JWT/large-header truncation on redirect proxy_buffer_size 128k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; # Gzip gzip on; gzip_types text/plain text/css application/json application/javascript text/xml; # Logging access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # Rate limiting zones limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; # Upstream API upstream api { server api:3000; } # Main server — panel.corrosionmgmt.com server { listen 80; server_name panel.corrosionmgmt.com; # API proxy location /api/ { limit_req zone=api burst=50 nodelay; proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support for console streaming proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # Auth endpoints — stricter rate limiting location /api/auth/ { limit_req zone=auth burst=10 nodelay; proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Frontend SPA location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } } # Marketing site — corrosionmgmt.com (bare domain) server { listen 80; server_name corrosionmgmt.com; # Early access signup API location /api/early-access/ { limit_req zone=api burst=10 nodelay; proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # SPA location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } } # Wildcard server — *.corrosionmgmt.com (public server sites) server { listen 80; server_name *.corrosionmgmt.com; # Public API proxy (subset of endpoints) location /api/public/ { limit_req zone=api burst=50 nodelay; proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Store API proxy location /api/store/ { limit_req zone=api burst=20 nodelay; proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # PayPal webhook location /api/store/webhook/ { proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Public site frontend location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } } # Status page — status.corrosionmgmt.com server { listen 80; server_name status.corrosionmgmt.com; location /api/public/ { proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; } } # Map file downloads — direct file serving with sendfile server { listen 80; server_name api.corrosionmgmt.com; location /maps/ { alias /data/maps/; sendfile on; tcp_nopush on; aio on; } location / { proxy_pass http://api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }