michangarrito/deploy/nginx/conf.d/default.conf

# =============================================================================
# MiChangarrito - Nginx Server Configuration
# =============================================================================

# Upstream definitions
upstream backend {
    server backend:3141;
    keepalive 32;
}

upstream frontend {
    server frontend:80;
    keepalive 32;
}

upstream whatsapp {
    server whatsapp-service:3143;
    keepalive 32;
}

# HTTP server (redirect to HTTPS in production)
server {
    listen 80;
    server_name _;

    # Health check (always available)
    location /nginx-health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # Let's Encrypt challenge
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    # In development, serve directly
    # In production, uncomment the redirect below
    # return 301 https://$host$request_uri;

    # Frontend (web app)
    location / {
        proxy_pass http://frontend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }

    # Backend API
    location /api/ {
        limit_req zone=api burst=20 nodelay;

        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;

        # Timeouts for API
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }

    # WhatsApp Webhook
    location /webhook/ {
        limit_req zone=webhook burst=50 nodelay;

        proxy_pass http://whatsapp;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WhatsApp may send large payloads
        client_max_body_size 10M;
    }

    # Stripe Webhook
    location /billing/webhooks {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Important: preserve raw body for Stripe signature verification
        proxy_set_header Stripe-Signature $http_stripe_signature;
    }
}

# HTTPS server (uncomment for production with SSL)
# server {
#     listen 443 ssl http2;
#     server_name michangarrito.com;
#
#     ssl_certificate /etc/nginx/ssl/fullchain.pem;
#     ssl_certificate_key /etc/nginx/ssl/privkey.pem;
#     ssl_session_timeout 1d;
#     ssl_session_cache shared:SSL:50m;
#     ssl_session_tickets off;
#
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
#     ssl_prefer_server_ciphers off;
#
#     add_header Strict-Transport-Security "max-age=63072000" always;
#
#     # Same location blocks as HTTP server above...
# }