refactor: remove Docker nginx from production, use host nginx directly

The production stack no longer runs a Docker nginx container. Instead, the host-level nginx handles SSL termination AND request routing: /api/* → 127.0.0.1:3000 (backend) /* → 127.0.0.1:3001 (frontend) Changes: - docker-compose.prod.yml: set nginx replicas to 0, expose backend and frontend on 127.0.0.1 only (loopback) - nginx/host-production.conf: new ready-to-copy host nginx config with SSL, rate limiting, proxy buffering, and AI endpoint timeouts - docs/DEPLOYMENT.md: rewritten production deployment and SSL sections to reflect the simplified single-nginx architecture Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-02 20:08:32 -05:00
parent d526025926
commit 2c215353d4
3 changed files with 199 additions and 284 deletions
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -2,29 +2,31 @@
 #   docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build
 #
 # What this changes from the base (dev) config:
+#   - Disables the Docker nginx container (host nginx handles routing + SSL)
 #   - Backend: production Dockerfile (compiled JS, no watch, no devDeps)
 #   - Frontend: production Dockerfile (static build served by nginx on port 3001)
+#   - Backend + Frontend bound to 127.0.0.1 only (host nginx proxies to them)
 #   - No source-code volume mounts (uses baked-in built code)
 #   - Memory limits and health checks on backend
 #   - Tuned PostgreSQL for production workloads
 #   - Restart policies for reliability
 #
-# SSL/TLS is handled at the host level (e.g., host nginx + certbot).
-# The Docker nginx container listens internally on port 80, mapped to
-# host port 8080 so it doesn't conflict with the host reverse proxy.
+# SSL/TLS and request routing are handled by the host-level nginx.
+# See nginx/host-production.conf for a ready-to-use reference config.

 services:
  nginx:
-    ports:
-      - "8080:80"                          # override: avoid conflict with host nginx
-    volumes:
-      - ./nginx/production.conf:/etc/nginx/conf.d/default.conf:ro
-    restart: unless-stopped
+    # Disabled in production — host nginx handles routing + SSL directly.
+    # The dev-only Docker nginx is still used by the base docker-compose.yml.
+    deploy:
+      replicas: 0

  backend:
    build:
      context: ./backend
      dockerfile: Dockerfile          # production Dockerfile (compiled JS)
+    ports:
+      - "127.0.0.1:3000:3000"        # loopback only — host nginx proxies here
    volumes: []                        # override: no source mounts in prod
    environment:
      - DATABASE_URL=${DATABASE_URL}
@@ -53,6 +55,8 @@ services:
    build:
      context: ./frontend
      dockerfile: Dockerfile           # production Dockerfile (static nginx)
+    ports:
+      - "127.0.0.1:3001:3001"         # loopback only — host nginx proxies here
    volumes: []                         # override: no source mounts in prod
    environment:
      - NODE_ENV=production