# HTTP server for ACME and redirect to HTTPS server { listen 80; server_name dev4.4nkweb.com http://dev4.4nkweb.com; # ACME HTTP-01 challenges location /.well-known/acme-challenge/ { root /var/www/letsencrypt; } # Redirection vers HTTPS pour toutes les autres requêtes location / { return 301 https://$server_name$request_uri; } # API backend - route /back/ vers /api/ du backend location ~* ^/back/(.*)$ { proxy_pass http://localhost:8080/api/$1; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; proxy_buffering off; } # API direct - route /api/ vers le backend # Autorisations CORS dynamiques pour origines connues set $cors_origin ""; if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) { set $cors_origin $http_origin; } location /api/ { # CORS pour développement local Next.js proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Access-Control-Allow-Credentials; proxy_hide_header Access-Control-Allow-Headers; proxy_hide_header Access-Control-Allow-Methods; if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; return 204; } add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; proxy_pass http://localhost:8080/api/; include /etc/nginx/proxy_params; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } # Compat: certains clients appellent /apiv1 -> réécriture vers /api/v1 location ~* ^/apiv1/(.*)$ { # CORS pour compatibilité proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Access-Control-Allow-Credentials; proxy_hide_header Access-Control-Allow-Headers; proxy_hide_header Access-Control-Allow-Methods; if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; return 204; } add_header Access-Control-Allow-Origin $cors_origin always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; proxy_pass http://localhost:8080/api/v1/$1; include /etc/nginx/proxy_params; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } # WebSocket relay (sdk_relay) location /ws/ { proxy_pass http://localhost:8090/; proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key; proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version; proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol; proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300; } # API de transfert de fonds location /api/v1/funds/ { proxy_pass http://localhost:8080/api/v1/funds/; include /etc/nginx/proxy_params; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; } # Grafana - Interface de monitoring (DOIT être avant location /) location /grafana/ { proxy_pass http://localhost:3005/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Configuration spécifique pour Grafana proxy_set_header X-Grafana-Org-Id 1; # Support des WebSockets pour les live updates proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Buffer settings proxy_buffering off; proxy_request_buffering off; } # Loki API - API de logs (DOIT être avant location /) location /loki/ { proxy_pass http://localhost:3100/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # CORS pour les requêtes depuis Grafana add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; if ($request_method = 'OPTIONS') { return 204; } } # Page de statut des services (DOIT être avant location /) location /status { # Redirection vers /status/ return 301 /status/; } location /status/ { # Serveur statique pour la page HTML alias /var/www/lecoffre/status/; index index.html; try_files $uri $uri/ /status/index.html; # Headers de sécurité add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; # Cache pour les assets statiques location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ { expires 1h; add_header Cache-Control "public, immutable"; } } # API de statut des services (DOIT être avant location /) location /status/api { proxy_pass http://localhost:3006/api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # CORS pour les requêtes AJAX add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; # Timeouts proxy_connect_timeout 10s; proxy_send_timeout 10s; proxy_read_timeout 10s; if ($request_method = 'OPTIONS') { return 204; } } # ihm_client (root) - DOIT être en dernier location / { proxy_pass http://localhost:3003; include /etc/nginx/proxy_params; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; } # favicon location = /favicon.ico { root /home/debian/4NK_env/confs/lecoffre_node/nginx/assets; try_files /favicon.ico =404; access_log off; expires 30d; } # lecoffre frontend location = /lecoffre { proxy_pass http://127.0.0.2:3004/lecoffre; include /etc/nginx/proxy_params; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto http; } location /lecoffre/ { proxy_pass http://127.0.0.2:3004/lecoffre/; include /etc/nginx/proxy_params; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto http; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 300; } # Next.js assets location /_next/ { proxy_pass http://127.0.0.2:3004/_next/; include /etc/nginx/proxy_params; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto http; } # blindbit location /blindbit/ { proxy_pass http://localhost:8000/; include /etc/nginx/proxy_params; } }