monacousa-portal/nginx/portal.monacousa.org.conf

# Monaco USA Portal - Nginx Configuration
# Location: /etc/nginx/sites-available/portal.monacousa.org
#
# Installation:
#   1. Copy to /etc/nginx/sites-available/
#   2. Create symlink: ln -s /etc/nginx/sites-available/portal.monacousa.org /etc/nginx/sites-enabled/
#   3. Test config: nginx -t
#   4. Get SSL cert: certbot --nginx -d portal.monacousa.org -d api.monacousa.org -d studio.monacousa.org
#   5. Reload: systemctl reload nginx

# Rate limiting zone
limit_req_zone $binary_remote_addr zone=portal_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;

# Upstream definitions
upstream portal_backend {
    server 127.0.0.1:7453;
    keepalive 32;
}

upstream api_backend {
    server 127.0.0.1:7455;
    keepalive 32;
}

upstream studio_backend {
    server 127.0.0.1:7454;
    keepalive 16;
}

# Main Portal - portal.monacousa.org
server {
    listen 80;
    listen [::]:80;
    server_name portal.monacousa.org;

    # Redirect all HTTP to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }

    # Let's Encrypt challenge
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name portal.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing (remove after certbot)
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Logging
    access_log /var/log/nginx/portal.monacousa.org.access.log;
    error_log /var/log/nginx/portal.monacousa.org.error.log;

    # Client body size (for file uploads)
    client_max_body_size 50M;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_proxied any;
    gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml;

    # Rate limiting
    limit_req zone=portal_limit burst=20 nodelay;

    # Main application
    location / {
        proxy_pass http://portal_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeouts
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Buffering
        proxy_buffering on;
        proxy_buffer_size 4k;
        proxy_buffers 8 4k;
    }

    # Static assets with caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        proxy_pass http://portal_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Cache static assets
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}

# Supabase API - api.monacousa.org
server {
    listen 80;
    listen [::]:80;
    server_name api.monacousa.org;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name api.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Security headers
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;

    # Logging
    access_log /var/log/nginx/api.monacousa.org.access.log;
    error_log /var/log/nginx/api.monacousa.org.error.log;

    # Client body size
    client_max_body_size 50M;

    # Rate limiting (higher for API)
    limit_req zone=api_limit burst=50 nodelay;

    # CORS preflight
    location / {
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS';
            add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, apikey, x-client-info';
            add_header 'Access-Control-Max-Age' 1728000;
            add_header 'Content-Type' 'text/plain charset=UTF-8';
            add_header 'Content-Length' 0;
            return 204;
        }

        proxy_pass http://api_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Longer timeout for realtime connections
        proxy_connect_timeout 60s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
    }
}

# Supabase Studio - studio.monacousa.org (optional, for admin access)
server {
    listen 80;
    listen [::]:80;
    server_name studio.monacousa.org;

    location / {
        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name studio.monacousa.org;

    # SSL certificates (managed by certbot)
    # ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;
    # include /etc/letsencrypt/options-ssl-nginx.conf;
    # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    # Temporary self-signed for testing
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    # Basic auth protection for studio
    auth_basic "Monaco USA Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;

    # Logging
    access_log /var/log/nginx/studio.monacousa.org.access.log;
    error_log /var/log/nginx/studio.monacousa.org.error.log;

    location / {
        proxy_pass http://studio_backend;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
Initial production deployment setup - Production docker-compose with nginx support - Nginx configuration for portal.monacousa.org - Deployment script with backup/restore - Gitea CI/CD workflow - Fix CountryFlag reactivity for dropdown flags Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-25 02:19:49 +01:00			`# Monaco USA Portal - Nginx Configuration`
			`# Location: /etc/nginx/sites-available/portal.monacousa.org`
			`#`
			`# Installation:`
			`# 1. Copy to /etc/nginx/sites-available/`
			`# 2. Create symlink: ln -s /etc/nginx/sites-available/portal.monacousa.org /etc/nginx/sites-enabled/`
			`# 3. Test config: nginx -t`
			`# 4. Get SSL cert: certbot --nginx -d portal.monacousa.org -d api.monacousa.org -d studio.monacousa.org`
			`# 5. Reload: systemctl reload nginx`

			`# Rate limiting zone`
			`limit_req_zone $binary_remote_addr zone=portal_limit:10m rate=10r/s;`
			`limit_req_zone $binary_remote_addr zone=api_limit:10m rate=30r/s;`

			`# Upstream definitions`
			`upstream portal_backend {`
			`server 127.0.0.1:7453;`
			`keepalive 32;`
			`}`

			`upstream api_backend {`
			`server 127.0.0.1:7455;`
			`keepalive 32;`
			`}`

			`upstream studio_backend {`
			`server 127.0.0.1:7454;`
			`keepalive 16;`
			`}`

			`# Main Portal - portal.monacousa.org`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name portal.monacousa.org;`

			`# Redirect all HTTP to HTTPS`
			`location / {`
			`return 301 https://$host$request_uri;`
			`}`

			`# Let's Encrypt challenge`
			`location /.well-known/acme-challenge/ {`
			`root /var/www/html;`
			`}`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name portal.monacousa.org;`

			`# SSL certificates (managed by certbot)`
			`# ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;`
			`# include /etc/letsencrypt/options-ssl-nginx.conf;`
			`# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`

			`# Temporary self-signed for testing (remove after certbot)`
			`ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;`
			`ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;`

			`# Security headers`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header Referrer-Policy "strict-origin-when-cross-origin" always;`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`

			`# Logging`
			`access_log /var/log/nginx/portal.monacousa.org.access.log;`
			`error_log /var/log/nginx/portal.monacousa.org.error.log;`

			`# Client body size (for file uploads)`
			`client_max_body_size 50M;`

			`# Gzip compression`
			`gzip on;`
			`gzip_vary on;`
			`gzip_min_length 1024;`
			`gzip_proxied any;`
			`gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml+rss image/svg+xml;`

			`# Rate limiting`
			`limit_req zone=portal_limit burst=20 nodelay;`

			`# Main application`
			`location / {`
			`proxy_pass http://portal_backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

			`# Timeouts`
			`proxy_connect_timeout 60s;`
			`proxy_send_timeout 60s;`
			`proxy_read_timeout 60s;`

			`# Buffering`
			`proxy_buffering on;`
			`proxy_buffer_size 4k;`
			`proxy_buffers 8 4k;`
			`}`

			`# Static assets with caching`
			`location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|svg\|woff\|woff2\|ttf\|eot)$ {`
			`proxy_pass http://portal_backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# Cache static assets`
			`expires 1y;`
			`add_header Cache-Control "public, immutable";`
			`}`
			`}`

			`# Supabase API - api.monacousa.org`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name api.monacousa.org;`

			`location / {`
			`return 301 https://$host$request_uri;`
			`}`

			`location /.well-known/acme-challenge/ {`
			`root /var/www/html;`
			`}`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name api.monacousa.org;`

			`# SSL certificates (managed by certbot)`
			`# ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;`
			`# include /etc/letsencrypt/options-ssl-nginx.conf;`
			`# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`

			`# Temporary self-signed for testing`
			`ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;`
			`ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;`

			`# Security headers`
			`add_header X-Frame-Options "DENY" always;`
			`add_header X-Content-Type-Options "nosniff" always;`

			`# Logging`
			`access_log /var/log/nginx/api.monacousa.org.access.log;`
			`error_log /var/log/nginx/api.monacousa.org.error.log;`

			`# Client body size`
			`client_max_body_size 50M;`

			`# Rate limiting (higher for API)`
			`limit_req zone=api_limit burst=50 nodelay;`

			`# CORS preflight`
			`location / {`
			`if ($request_method = 'OPTIONS') {`
			`add_header 'Access-Control-Allow-Origin' '*';`
			`add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS';`
			`add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type, apikey, x-client-info';`
			`add_header 'Access-Control-Max-Age' 1728000;`
			`add_header 'Content-Type' 'text/plain charset=UTF-8';`
			`add_header 'Content-Length' 0;`
			`return 204;`
			`}`

			`proxy_pass http://api_backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

			`# Longer timeout for realtime connections`
			`proxy_connect_timeout 60s;`
			`proxy_send_timeout 300s;`
			`proxy_read_timeout 300s;`
			`}`
			`}`

			`# Supabase Studio - studio.monacousa.org (optional, for admin access)`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name studio.monacousa.org;`

			`location / {`
			`return 301 https://$host$request_uri;`
			`}`

			`location /.well-known/acme-challenge/ {`
			`root /var/www/html;`
			`}`
			`}`

			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name studio.monacousa.org;`

			`# SSL certificates (managed by certbot)`
			`# ssl_certificate /etc/letsencrypt/live/portal.monacousa.org/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/portal.monacousa.org/privkey.pem;`
			`# include /etc/letsencrypt/options-ssl-nginx.conf;`
			`# ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;`

			`# Temporary self-signed for testing`
			`ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;`
			`ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;`

			`# Basic auth protection for studio`
			`auth_basic "Monaco USA Admin";`
			`auth_basic_user_file /etc/nginx/.htpasswd;`

			`# Logging`
			`access_log /var/log/nginx/studio.monacousa.org.access.log;`
			`error_log /var/log/nginx/studio.monacousa.org.error.log;`

			`location / {`
			`proxy_pass http://studio_backend;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`}`
			`}`