worker_processes auto; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; # Основні заголовки безпеки (мінімум) add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header Referrer-Policy strict-origin-when-cross-origin; # HSTS для прод-сервера (коментуємо в локалі): # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; map $http_x_request_id $req_id { default $http_x_request_id; "" $request_id; } log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$req_id"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log warn; # ========================================================================== # UPSTREAMS # ========================================================================== upstream microdao_api { server microdao-api:8000; } upstream microdao_ws { server microdao-ws:8001; } upstream matrix_hs { server matrix-homeserver:8008; } upstream grafana_srv { server grafana:3000; } upstream prometheus_srv { server prometheus:9090; } upstream rag_srv { server rag-service:8081; } upstream notify_srv { server notification-service:8082; } # ========================================================================== # MAIN SERVER # ========================================================================== server { listen 80; server_name _; # Client settings client_max_body_size 100M; client_body_buffer_size 128k; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # ====================================================================== # HEALTHCHECK # ====================================================================== location = /healthz { access_log off; return 200 'OK'; add_header Content-Type text/plain; } # ====================================================================== # MICRODAO API # ====================================================================== location /api/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://microdao_api/; } # ====================================================================== # MICRODAO WEBSOCKET # ====================================================================== location /ws/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; # WebSocket upgrade proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Extended timeout for WebSocket proxy_read_timeout 86400s; proxy_send_timeout 86400s; proxy_pass http://microdao_ws/; } # ====================================================================== # MATRIX # ====================================================================== location /matrix/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; # Remove /matrix/ prefix for Matrix API rewrite ^/matrix/(.*) /$1 break; proxy_pass http://matrix_hs; } # Matrix client API (without rewrite) location /_matrix { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://matrix_hs; } # ====================================================================== # GRAFANA # ====================================================================== location /grafana/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://grafana_srv/; } # Grafana WebSocket (Live) location /grafana/api/live/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_pass http://grafana_srv/api/live/; } # ====================================================================== # PROMETHEUS # ====================================================================== location /prometheus/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://prometheus_srv/; } # ====================================================================== # RAG SERVICE # ====================================================================== location /rag/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://rag_srv/; } # ====================================================================== # NOTIFICATION SERVICE # ====================================================================== location /notify/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-Id $req_id; proxy_pass http://notify_srv/; } # ====================================================================== # ERROR PAGES # ====================================================================== error_page 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } }