4NK_env/confs/lecoffre_node/nginx_backups_host/dev4.4nkweb.com-https.conf

# Configuration HTTPS pour dev4.4nkweb.com
server {
    listen 443 ssl http2;
    server_name dev4.4nkweb.com;

    # Certificats SSL
    ssl_certificate     /etc/letsencrypt/live/dev4.4nkweb.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev4.4nkweb.com/privkey.pem;

    # Configuration SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # Headers de sécurité
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Frame-Options DENY always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Grafana - Interface de monitoring (DOIT être avant location /)
    location /grafana/ {
        proxy_pass http://localhost:3005/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Configuration spécifique pour Grafana
        proxy_set_header X-Grafana-Org-Id 1;

        # Support des WebSockets pour les live updates
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Buffer settings
        proxy_buffering off;
        proxy_request_buffering off;
    }

    # Loki API - API de logs (DOIT être avant location /)
    location /loki/ {
        proxy_pass http://localhost:3100/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # CORS pour les requêtes depuis Grafana
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
        add_header Access-Control-Allow-Headers "Content-Type, Authorization";

        if ($request_method = 'OPTIONS') {
            return 204;
        }
    }

    # Page de statut des services (DOIT être avant location /)
    location /status {
        # Redirection vers /status/
        return 301 /status/;
    }

    location /status/ {
        # Serveur statique pour la page HTML
        alias /var/www/lecoffre/status/;
        index index.html;
        try_files $uri $uri/ /status/index.html;

        # Headers de sécurité
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Cache pour les assets statiques
        location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg)$ {
            expires 1h;
            add_header Cache-Control "public, immutable";
        }
    }

    # API de statut des services (DOIT être avant location /)
    location /status/api {
        proxy_pass http://localhost:3006/api;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # CORS pour les requêtes AJAX
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
        add_header Access-Control-Allow-Headers "Content-Type, Authorization";

        # Timeouts
        proxy_connect_timeout 10s;
        proxy_send_timeout 10s;
        proxy_read_timeout 10s;

        if ($request_method = 'OPTIONS') {
            return 204;
        }
    }

    # API backend - route /back/ vers /api/ du backend
    location ~* ^/back/(.*)$ {
        proxy_pass http://localhost:8080/api/$1;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";
        proxy_buffering off;
    }

    # API direct - route /api/ vers le backend
    # Autorisations CORS dynamiques pour origines connues
    set $cors_origin "";
    if ($http_origin ~* ^(http://local\.4nkweb\.com:3000|https://dev4\.4nkweb\.com)$) {
        set $cors_origin $http_origin;
    }

    location /api/ {
        # CORS pour développement local Next.js
        proxy_hide_header Access-Control-Allow-Origin;
        proxy_hide_header Access-Control-Allow-Credentials;
        proxy_hide_header Access-Control-Allow-Headers;
        proxy_hide_header Access-Control-Allow-Methods;

        if ($request_method = OPTIONS) {
            add_header Access-Control-Allow-Origin $cors_origin always;
            add_header Access-Control-Allow-Credentials "true" always;
            add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
            add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
            return 204;
        }

        add_header Access-Control-Allow-Origin $cors_origin always;
        add_header Access-Control-Allow-Credentials "true" always;
        add_header Access-Control-Allow-Headers "Content-Type, x-session-id, Authorization" always;
        add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;

        proxy_pass http://dev3.4nkweb.com:8080/api/;
        include /etc/nginx/proxy_params;
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
    }

    # WebSocket relay (sdk_relay)
    location /ws/ {
        proxy_pass http://localhost:8090/;
        proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
        proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
        proxy_set_header Sec-WebSocket-Protocol $http_sec_websocket_protocol;
        proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 86400;
    }

    # API de transfert de fonds
    location /api/v1/funds/ {
        proxy_pass http://dev3.4nkweb.com:8080/api/v1/funds/;
        include /etc/nginx/proxy_params;
        proxy_read_timeout 300;
        proxy_connect_timeout 300;
        proxy_send_timeout 300;
    }

    # favicon
    location = /favicon.ico {
        root /home/debian/4NK_env/lecoffre_node/conf/nginx/assets;
        try_files /favicon.ico =404;
    }

    # blindbit
    location /blindbit/ {
        proxy_pass http://localhost:8000/;
        include /etc/nginx/proxy_params;
    }

    # lecoffre-front - Application LeCoffre
    location = /lecoffre { return 301 /lecoffre/; }
    location ^~ /lecoffre/ {
        # ensure no redirect here; only proxy to Next
        add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
        add_header Pragma "no-cache" always;
        add_header Expires "-1" always;
        proxy_hide_header ETag;
        proxy_hide_header Last-Modified;
        proxy_pass http://localhost:3004;
        include /etc/nginx/proxy_params;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300;
        proxy_send_timeout 300;
        proxy_connect_timeout 300;
    }

    # ihm_client (root) - DOIT être en dernier
    location / {
        proxy_pass http://localhost:3003;
        include /etc/nginx/proxy_params;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 300;
    }
}