feat: Add Nginx config for Hub reverse proxy

- nginx/hub.conf with SSL, headers, and SSE support - Bind port 3000 to localhost only (Nginx proxies) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 13:24:18 +01:00 · 2026-01-17 13:24:18 +01:00 · 622d9f4d2e
parent 411f7d4604
commit 622d9f4d2e
2 changed files with 77 additions and 1 deletions
--- a/deploy/docker-compose.simple.yml
+++ b/deploy/docker-compose.simple.yml
@ -24,7 +24,7 @@ services:
    container_name: letsbe-hub-app
    env_file: .env
    ports:
-      - "3000:3000"
+      - "127.0.0.1:3000:3000"  # Only localhost, Nginx proxies to this
    environment:
      DATABASE_URL: postgresql://${POSTGRES_USER:-letsbe_hub}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-letsbe_hub}
      NEXTAUTH_URL: ${HUB_URL}
--- a/deploy/nginx/hub.conf
+++ b/deploy/nginx/hub.conf
@ -0,0 +1,76 @@
+# LetsBe Hub - Nginx Configuration
+# Place this in /etc/nginx/sites-available/hub.conf
+# Then: ln -s /etc/nginx/sites-available/hub.conf /etc/nginx/sites-enabled/
+# And: nginx -t && systemctl reload nginx
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name hub.yourdomain.com;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# HTTPS server
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name hub.yourdomain.com;
+
+    # SSL certificates (Let's Encrypt)
+    ssl_certificate /etc/letsencrypt/live/hub.yourdomain.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/hub.yourdomain.com/privkey.pem;
+
+    # SSL settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 1d;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # Logging
+    access_log /var/log/nginx/hub.access.log;
+    error_log /var/log/nginx/hub.error.log;
+
+    # Proxy to Hub container
+    location / {
+        proxy_pass http://127.0.0.1:3000;
+        proxy_http_version 1.1;
+
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+
+        # WebSocket/SSE support (for log streaming)
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        # Timeouts (longer for SSE streams)
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 300s;  # 5 min for SSE log streaming
+
+        # Buffering (disable for SSE)
+        proxy_buffering off;
+        proxy_cache off;
+
+        # Max body size (for file uploads if needed)
+        client_max_body_size 50M;
+    }
+}