PecHub/infra/nginx/conf.d/pecflow.conf

server {
    listen 80;
    server_name localhost;

    # Redirect HTTP → HTTPS in produzione (commentato per dev)
    # return 301 https://$host$request_uri;

    # ── API Backend ───────────────────────────────────────────────────────────
    location /api/ {
        limit_req zone=api burst=20 nodelay;

        proxy_pass         http://backend:8000;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_set_header   Connection        "";

        # Timeout generosi per operazioni lunghe (es. generazione QR)
        proxy_connect_timeout 30s;
        proxy_send_timeout    60s;
        proxy_read_timeout    60s;

        # Upload allegati fino a 50MB
        client_max_body_size 50m;
    }

    # ── Auth endpoint con rate limiting più stretto ────────────────────────────
    location /api/v1/auth/login {
        limit_req zone=auth burst=5 nodelay;

        proxy_pass         http://backend:8000;
        proxy_http_version 1.1;
        proxy_set_header   Host              $host;
        proxy_set_header   X-Real-IP         $remote_addr;
        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }

    # ── Health check ──────────────────────────────────────────────────────────
    location /health {
        proxy_pass http://backend:8000;
        access_log off;
    }

    # ── Swagger UI (solo dev) ─────────────────────────────────────────────────
    location /docs {
        proxy_pass http://backend:8000;
    }
    location /redoc {
        proxy_pass http://backend:8000;
    }
    location /openapi.json {
        proxy_pass http://backend:8000;
    }

    # ── WebSocket ─────────────────────────────────────────────────────────────
    location /ws/ {
        proxy_pass         http://backend:8000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_read_timeout 3600s;
    }

    # ── Frontend (sarà aggiunto in Fase 5) ────────────────────────────────────
    # location / {
    #     proxy_pass http://frontend:3000;
    # }
}