server { listen 80; server_name localhost; # Redirect HTTP → HTTPS in produzione (commentato per dev) # return 301 https://$host$request_uri; # ── API Backend ─────────────────────────────────────────────────────────── location /api/ { limit_req zone=api burst=20 nodelay; proxy_pass http://backend:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection ""; # Timeout generosi per operazioni lunghe (es. generazione QR) proxy_connect_timeout 30s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Upload allegati fino a 50MB client_max_body_size 50m; } # ── Auth endpoint con rate limiting più stretto ──────────────────────────── location /api/v1/auth/login { limit_req zone=auth burst=5 nodelay; proxy_pass http://backend:8000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ── Health check ────────────────────────────────────────────────────────── location /health { proxy_pass http://backend:8000; access_log off; } # ── Swagger UI (solo dev) ───────────────────────────────────────────────── location /docs { proxy_pass http://backend:8000; } location /redoc { proxy_pass http://backend:8000; } location /openapi.json { proxy_pass http://backend:8000; } # ── WebSocket ───────────────────────────────────────────────────────────── location /ws/ { proxy_pass http://backend:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_read_timeout 3600s; } # ── Frontend (sarà aggiunto in Fase 5) ──────────────────────────────────── # location / { # proxy_pass http://frontend:3000; # } }