olsch01
8db89373e0
Root cause of 502 errors under 30 concurrent users: the production server was running dev-mode infrastructure (Vite dev server, NestJS --watch, no DB connection pooling, single Node.js process). Changes: - backend/Dockerfile: multi-stage prod build (compiled JS, no devDeps) - frontend/Dockerfile: multi-stage prod build (static assets served by nginx) - frontend/nginx.conf: SPA routing config for frontend container - docker-compose.prod.yml: production overlay with tuned Postgres, memory limits, health checks, restart policies - nginx/production.conf: keepalive upstreams, proxy buffering, rate limiting - backend/src/main.ts: Node.js clustering (1 worker per CPU, up to 4), conditional request logging, production CORS - backend/src/app.module.ts: TypeORM connection pool (max 30, min 5) - docs/DEPLOYMENT.md: new Production Deployment section Deploy with: docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d --build Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
98 lines
2.7 KiB
Plaintext
98 lines
2.7 KiB
Plaintext
upstream backend {
|
|
server backend:3000;
|
|
keepalive 32; # reuse connections to backend
|
|
}
|
|
|
|
upstream frontend {
|
|
server frontend:80;
|
|
keepalive 16;
|
|
}
|
|
|
|
# Shared proxy settings
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection ""; # enable keepalive to upstreams
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Buffer settings — prevent 502s when backend is slow to respond
|
|
proxy_buffering on;
|
|
proxy_buffer_size 16k;
|
|
proxy_buffers 8 16k;
|
|
proxy_busy_buffers_size 32k;
|
|
|
|
# Redirect HTTP → HTTPS
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/certbot;
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# HTTPS server
|
|
server {
|
|
listen 443 ssl;
|
|
# Replace with your hostname:
|
|
server_name staging.example.com;
|
|
|
|
# --- TLS certificates ---
|
|
ssl_certificate /etc/letsencrypt/live/staging.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/staging.example.com/privkey.pem;
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_tickets off;
|
|
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
|
|
# --- Rate limit zone (10 req/s per IP for API) ---
|
|
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
|
|
|
# --- API routes → backend ---
|
|
location /api/ {
|
|
limit_req zone=api_limit burst=30 nodelay;
|
|
|
|
proxy_pass http://backend;
|
|
proxy_read_timeout 30s;
|
|
proxy_connect_timeout 5s;
|
|
proxy_send_timeout 15s;
|
|
}
|
|
|
|
# AI endpoints → longer timeouts
|
|
location /api/investment-planning/recommendations {
|
|
proxy_pass http://backend;
|
|
proxy_read_timeout 180s;
|
|
proxy_connect_timeout 10s;
|
|
proxy_send_timeout 30s;
|
|
}
|
|
|
|
location /api/health-scores/calculate {
|
|
proxy_pass http://backend;
|
|
proxy_read_timeout 180s;
|
|
proxy_connect_timeout 10s;
|
|
proxy_send_timeout 30s;
|
|
}
|
|
|
|
# --- Static frontend → built React assets ---
|
|
location / {
|
|
proxy_pass http://frontend;
|
|
proxy_read_timeout 10s;
|
|
proxy_connect_timeout 5s;
|
|
|
|
# Cache static assets aggressively at the proxy level
|
|
proxy_cache_bypass $http_upgrade;
|
|
}
|
|
}
|