# ============================================== # Production конфигурация для uchill.online # ============================================== # Редирект HTTP на HTTPS (отключено для dev - нет SSL сертификатов) # server { # listen 80; # listen [::]:80; # server_name uchill.online www.uchill.online; # # # Let's Encrypt challenge # location /.well-known/acme-challenge/ { # root /var/www/certbot; # } # # # Редирект на HTTPS # location / { # return 301 https://$host$request_uri; # } # } # HTTPS сервер (отключено для dev - нет SSL сертификатов) # Для включения: создайте сертификаты в /etc/nginx/ssl/ и раскомментируйте # server { # listen 443 ssl; # listen [::]:443 ssl; # http2 on; # server_name uchill.online www.uchill.online; # # # SSL сертификаты Let's Encrypt # ssl_certificate /etc/nginx/ssl/fullchain.pem; # ssl_certificate_key /etc/nginx/ssl/privkey.pem; # # # SSL настройки # ssl_protocols TLSv1.2 TLSv1.3; # ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; # ssl_prefer_server_ciphers on; # ssl_session_cache shared:SSL:10m; # ssl_session_timeout 10m; # ssl_stapling on; # ssl_stapling_verify on; # # # Безопасность # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # add_header X-Frame-Options "SAMEORIGIN" always; # add_header X-Content-Type-Options "nosniff" always; # add_header X-XSS-Protection "1; mode=block" always; # add_header Referrer-Policy "no-referrer-when-downgrade" always; # # # Размер загружаемых файлов # client_max_body_size 100M; # # # Таймауты # proxy_connect_timeout 60s; # proxy_send_timeout 60s; # proxy_read_timeout 60s; # # # ============================================== # # Статические файлы # # ============================================== # location /static/ { # alias /staticfiles/; # expires 30d; # add_header Cache-Control "public, immutable"; # access_log off; # } # # location /media/ { # alias /media/; # expires 7d; # add_header Cache-Control "public"; # access_log off; # } # # # ============================================== # # API (Backend) # # ============================================== # location /api/ { # limit_req zone=api_limit burst=20 nodelay; # limit_conn conn_limit 10; # # proxy_pass http://backend; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Host $host; # proxy_set_header X-Forwarded-Port $server_port; # # # WebSocket поддержка # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # # # Кэширование для GET запросов # proxy_cache api_cache; # proxy_cache_valid 200 5m; # proxy_cache_methods GET HEAD; # proxy_cache_key "$scheme$request_method$host$request_uri"; # add_header X-Cache-Status $upstream_cache_status; # } # # # Health check без ограничений # location /health/ { # proxy_pass http://backend; # proxy_set_header Host $host; # access_log off; # } # # # Django Admin # location /admin/ { # limit_req zone=login_limit burst=5 nodelay; # # proxy_pass http://backend; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # } # # # ============================================== # # WebSocket для уведомлений # # ============================================== # location /ws/ { # proxy_pass http://backend; # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # # # Таймауты для WebSocket # proxy_read_timeout 3600s; # proxy_send_timeout 3600s; # } # # # ============================================== # # Whiteboard (Collaborative Whiteboard) # # ============================================== # location /whiteboard/ { # proxy_pass http://whiteboard/; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Host $host; # # # WebSocket для whiteboard # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # # # Таймауты для WebSocket # proxy_read_timeout 3600s; # proxy_send_timeout 3600s; # } # # # ============================================== # # Frontend (Next.js) # # ============================================== # location / { # limit_req zone=api_limit burst=50 nodelay; # # proxy_pass http://frontend; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header X-Forwarded-Host $host; # # # WebSocket для Next.js HMR (только в dev) # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; # } # # # Блокировка доступа к скрытым файлам # location ~ /\. { # deny all; # access_log off; # log_not_found off; # } # }