HOA_Financial_Platform/nginx/production.conf

upstream backend {
    server backend:3000;
    keepalive 32;            # reuse connections to backend
}

upstream frontend {
    server frontend:3001;
    keepalive 16;
}

# Hide nginx version from Server header
server_tokens off;

# Shared proxy settings
proxy_http_version 1.1;
proxy_set_header Connection "";          # enable keepalive to upstreams
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

# Buffer settings — prevent 502s when backend is slow to respond
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 32k;

# Rate limit zone (10 req/s per IP for API)
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;

# HTTP server — SSL termination is handled by the host reverse proxy
server {
    listen 80;
    server_name _;

    # Security headers — applied to all routes at the nginx layer
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

    # --- API routes → backend ---
    location /api/ {
        limit_req zone=api_limit burst=30 nodelay;

        proxy_pass http://backend;
        proxy_read_timeout 30s;
        proxy_connect_timeout 5s;
        proxy_send_timeout 15s;
    }

    # AI endpoints now return immediately (async processing in background)
    # No special timeout overrides needed

    # --- Static frontend → built React assets ---
    location / {
        proxy_pass http://frontend;
        proxy_read_timeout 10s;
        proxy_connect_timeout 5s;
        proxy_cache_bypass $http_upgrade;
    }
}