# ============================================================================ # PYRE / Prometheus Protocol — nginx virtual host for feedthepyre.com # ---------------------------------------------------------------------------- # Install path: /etc/nginx/sites-available/feedthepyre.com # (the provision script symlinks this into sites-enabled/) # # TLS: Managed by certbot. Run `certbot --nginx` AFTER this config is # installed — it will inject the listen 443 ssl server block, # the ssl_certificate / ssl_certificate_key lines, and the # HTTP->HTTPS redirect automatically. Do NOT hand-edit those in. # # App ports (see docs/PYRE_MVP_DESIGN.md §11 and .env.example): # web (Next.js) -> 127.0.0.1:3000 (WEB_PORT) # api (Fastify) -> 127.0.0.1:4000 (API_PORT) # # Current behaviour: serves the static status dashboard from # /var/www/feedthepyre/status. The reverse-proxy blocks below # are commented out until the apps are deployed. # ============================================================================ server { listen 80; listen [::]:80; server_name feedthepyre.com www.feedthepyre.com; # --- Static status site (current site root) ----------------------------- root /var/www/feedthepyre/status; index index.html; # --- Logging ------------------------------------------------------------ access_log /var/log/nginx/feedthepyre.access.log; error_log /var/log/nginx/feedthepyre.error.log; # --- ACME HTTP-01 challenge -------------------------------------------- # Explicit so certbot's HTTP-01 validation works even before its --nginx # tweaks are applied. ^~ ensures this wins over the regex/proxy locations. location ^~ /.well-known/acme-challenge/ { root /var/www/feedthepyre/status; allow all; } # --- Basic hardening ---------------------------------------------------- # gzip for text-ish content types. gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types text/plain text/css text/xml text/javascript application/javascript application/json application/xml application/rss+xml image/svg+xml; # NOTE: `server_tokens off;` is intentionally NOT set here — it belongs in # the http{} block of /etc/nginx/nginx.conf so it applies globally. Set it # there once rather than duplicating it per-vhost. # --- Site root ---------------------------------------------------------- # Serve the static status dashboard for now. # # LATER: when apps/web (Next.js) is deployed, switch this location from the # static status page to a reverse proxy. Replace the try_files body with: # # proxy_pass http://127.0.0.1:3000; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $connection_upgrade; # location / { try_files $uri $uri/ /index.html; } # ------------------------------------------------------------------------ # REVERSE-PROXY BLOCKS — enable when apps are running # ------------------------------------------------------------------------ # Uncomment the /api/ block below once apps/api (Fastify, port 4000) is up. # The trailing slash on proxy_pass strips the /api/ prefix so the backend # sees /scan, /receipt, etc. # # location /api/ { # proxy_pass http://127.0.0.1:4000/; # proxy_http_version 1.1; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection $connection_upgrade; # } # # The websocket Upgrade/Connection headers above rely on a $connection_upgrade # map. Add this once in the http{} block of /etc/nginx/nginx.conf: # # map $http_upgrade $connection_upgrade { # default upgrade; # '' close; # } # ------------------------------------------------------------------------ }