events { worker_connections 1024; } http { # Rate limiting limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=admin_limit:10m rate=5r/s; # Upstream backends upstream api_backend { server backend:3000; } upstream admin_frontend { server frontend:80; } # Redirect HTTP to HTTPS (uncomment for production with SSL) # server { # listen 80; # server_name yourdomain.com; # return 301 https://$server_name$request_uri; # } # API Server server { listen 80; # listen 443 ssl http2; # Uncomment for HTTPS server_name api.yourdomain.com localhost; # SSL Configuration (uncomment and configure for production) # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers HIGH:!aNULL:!MD5; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; # Logging access_log /var/log/nginx/api_access.log; error_log /var/log/nginx/api_error.log; # API endpoints location /api/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://api_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } location /ws/ { proxy_pass http://api_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 3600s; } # Health check (no rate limit) location /health { proxy_pass http://api_backend; proxy_http_version 1.1; access_log off; } } # Admin Panel Server server { listen 80; # listen 443 ssl http2; # Uncomment for HTTPS server_name admin.yourdomain.com localhost; # SSL Configuration (same as above) # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # Logging access_log /var/log/nginx/admin_access.log; error_log /var/log/nginx/admin_error.log; location /api/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://api_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; } location /ws/ { proxy_pass http://api_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 3600s; } location / { limit_req zone=admin_limit burst=10 nodelay; proxy_pass http://admin_frontend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } # Default server (catch-all) server { listen 80 default_server; server_name _; return 444; # Close connection without response } }