# Configuration HTTPS pour dev4.4nkweb.com server { listen 443 ssl http2; server_name dev4.4nkweb.com; # Certificats SSL ssl_certificate /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem; # Configuration SSL ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Headers de sécurité add_header Strict-Transport-Security "max-age=63072000" always; add_header X-Frame-Options DENY always; add_header X-Content-Type-Options nosniff always; add_header X-XSS-Protection "1; mode=block" always; # Grafana - Interface de monitoring (DOIT être avant location /) location /grafana/ { proxy_pass http://localhost:3005/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Configuration spécifique pour Grafana proxy_set_header X-Grafana-Org-Id 1; # Support des WebSockets pour les live updates proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Buffer settings proxy_buffering off; proxy_request_buffering off; } # Loki API - API de logs (DOIT être avant location /) location /loki/ { proxy_pass http://localhost:3100/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # CORS pour les requêtes depuis Grafana add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; if ($request_method = 'OPTIONS') { return 204; } } # Page de statut des services (DOIT être avant location /) location /status { # Redirection vers /status/ return 301 /status/; } location /status/ { # Serveur statique pour la page HTML alias /var/www/lecoffre/status/; index index.html; try_files $uri $uri/ /status/index.html; # Headers de sécurité add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # Désactiver le cache côté client add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; add_header Pragma "no-cache" always; expires -1; # Cache pour les assets statiques location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { expires 1h; add_header Cache-Control "public, immutable"; } } # API de statut des services (DOIT être avant location /) location /status/api { proxy_pass http://localhost:3006/api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # CORS pour les requêtes AJAX add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; # Désactiver le cache proxy/client proxy_no_cache 1; proxy_cache_bypass 1; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; add_header Pragma "no-cache" always; # Timeouts proxy_connect_timeout 10s; proxy_send_timeout 10s; proxy_read_timeout 10s; if ($request_method = 'OPTIONS') { return 204; } } # API backend - route /back/ vers /api/ du backend location ~* ^/back/(.*)$ { proxy_pass http://localhost:8080/api/$1; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; proxy_buffering off; } # API direct - route /api/ vers le backend # Autorisations CORS dynamiques pour origines connues set $cors_origin ""; if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { set $cors_origin $http_origin; } location /api/ { # CORS pour développement local Next.js proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Access-Control-Allow-Credentials; proxy_hide_header Access-Control-Allow-Headers; proxy_hide_header Access-Control-Allow-Methods; if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; return 204; } add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; proxy_pass http://localhost:8080/api/; include /etc/nginx/proxy_params; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } # WebSocket relay (sdk_relay) location /ws/ { proxy_pass http://localhost:8090/; proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; } # API de transfert de fonds location /api/v1/funds/ { proxy_pass http://localhost:8080/api/v1/funds/; include /etc/nginx/proxy_params; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } # favicon location = /favicon.ico { root /home/debian/lecoffre_node/conf/nginx/assets; try_files /favicon.ico =404; } # blindbit location /blindbit/ { proxy_pass http://localhost:8000/; include /etc/nginx/proxy_params; } # lecoffre-front - Application LeCoffre # Forcer le trailing slash pour éviter les redirections et erreurs 500 côté Next.js location = /lecoffre { return 301 /lecoffre/; } location ^~ /lecoffre/ { # Déléguer la gestion du basePath à Next.js proxy_pass http://localhost:3004; include /etc/nginx/proxy_params; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; proxy_send_timeout 300; proxy_connect_timeout 300; } # ihm_client (root) - DOIT être en dernier location / { proxy_pass http://localhost:3003; include /etc/nginx/proxy_params; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; } }