# Production Configuration - ParentFlow # Domains: parentflowapp.com, api.parentflowapp.com # Redirect HTTP to HTTPS server { listen 80; listen [::]:80; server_name parentflowapp.com www.parentflowapp.com api.parentflowapp.com; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$server_name$request_uri; } } # Frontend - parentflowapp.com server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name parentflowapp.com www.parentflowapp.com; # SSL Configuration (Update paths after Let's Encrypt setup) ssl_certificate /etc/nginx/ssl/parentflowapp.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/parentflowapp.com/privkey.pem; ssl_trusted_certificate /etc/nginx/ssl/parentflowapp.com/chain.pem; # Security Headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Content-Security-Policy "default-src 'self' https://api.parentflowapp.com wss://api.parentflowapp.com; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https://api.parentflowapp.com wss://api.parentflowapp.com https://app.posthog.com;" always; # Logging access_log /var/log/nginx/parentflowapp.access.log main; error_log /var/log/nginx/parentflowapp.error.log warn; # Root location - proxy to Next.js frontend location / { proxy_pass http://frontend; proxy_http_version 1.1; # Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { proxy_pass http://frontend; proxy_cache parentflow_cache; proxy_cache_valid 200 302 1h; proxy_cache_valid 404 1m; add_header X-Cache-Status $upstream_cache_status; expires 1h; add_header Cache-Control "public, immutable"; } } # Next.js specific paths location /_next/static { proxy_pass http://frontend; proxy_cache parentflow_cache; proxy_cache_valid 200 302 24h; add_header Cache-Control "public, max-age=31536000, immutable"; } location /api { proxy_pass http://frontend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # API Backend - api.parentflowapp.com server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name api.parentflowapp.com; # SSL Configuration (Update paths after Let's Encrypt setup) ssl_certificate /etc/nginx/ssl/api.parentflowapp.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/api.parentflowapp.com/privkey.pem; ssl_trusted_certificate /etc/nginx/ssl/api.parentflowapp.com/chain.pem; # Security Headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header Access-Control-Allow-Origin "https://parentflowapp.com" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PATCH" always; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always; add_header Access-Control-Allow-Credentials "true" always; # Logging access_log /var/log/nginx/api.parentflowapp.access.log main; error_log /var/log/nginx/api.parentflowapp.error.log warn; # Handle preflight requests location / { if ($request_method = 'OPTIONS') { add_header Access-Control-Allow-Origin "https://parentflowapp.com" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS, PATCH" always; add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization" always; add_header Access-Control-Allow-Credentials "true" always; add_header Access-Control-Max-Age 86400; add_header Content-Type text/plain; add_header Content-Length 0; return 204; } # Rate limiting for API limit_req zone=api_limit burst=20 nodelay; proxy_pass http://backend; proxy_http_version 1.1; # Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Buffering proxy_buffering off; proxy_request_buffering off; } # WebSocket support for real-time features location /ws { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket timeouts proxy_connect_timeout 7d; proxy_send_timeout 7d; proxy_read_timeout 7d; } # GraphQL endpoint location /graphql { limit_req zone=api_limit burst=10 nodelay; proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Larger timeouts for GraphQL proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_read_timeout 120s; } # Health check endpoint location /health { proxy_pass http://backend; access_log off; } }