Fix jwt-token

nginx/conf.d/default.conf

@@ -0,0 +1,165 @@
+# Multi-Tenant Nginx Configuration
+# Supports wildcard SSL and subdomain-based tenant routing
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s;
+
+# Upstream backend
+upstream backend {
+    server backend:3001;
+}
+
+# HTTP redirect to HTTPS
+server {
+    listen 80;
+    server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
+    
+    # Let's Encrypt challenge
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+    
+    # Redirect all other traffic to HTTPS
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+# Main HTTPS server for multi-tenant setup
+server {
+    listen 443 ssl http2;
+    server_name dev.uggla.uamils.com *.dev.uggla.uamils.com;
+    
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/dev.uggla.uamils.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dev.uggla.uamils.com/privkey.pem;
+    
+    # SSL Security
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    
+    # Client settings
+    client_max_body_size 100M;
+    
+    # Extract tenant from subdomain
+    set $tenant "default";
+    if ($host ~ ^([^.]+)\.dev\.uggla\.uamils\.com$) {
+        set $tenant $1;
+    }
+    
+    # API routes with rate limiting
+    location /api/ {
+        limit_req zone=api burst=20 nodelay;
+        
+        # Add tenant header for backend
+        proxy_set_header X-Tenant-Subdomain $tenant;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        proxy_pass http://backend;
+        proxy_redirect off;
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+    
+    # Authentication routes with stricter rate limiting
+    location /auth/ {
+        limit_req zone=auth burst=10 nodelay;
+        
+        proxy_set_header X-Tenant-Subdomain $tenant;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_pass http://backend;
+        proxy_redirect off;
+    }
+    
+    # Socket.IO with WebSocket support
+    location /socket.io/ {
+        proxy_set_header X-Tenant-Subdomain $tenant;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        
+        proxy_pass http://backend;
+        proxy_redirect off;
+        
+        # WebSocket timeouts
+        proxy_connect_timeout 7d;
+        proxy_send_timeout 7d;
+        proxy_read_timeout 7d;
+    }
+    
+    # Static files (React app)
+    location / {
+        root /usr/share/nginx/html;
+        index index.html;
+        try_files $uri $uri/ /index.html;
+        
+        # Cache static assets
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+            access_log off;
+        }
+        
+        # Add tenant info to HTML
+        location = /index.html {
+            add_header X-Tenant-Subdomain $tenant always;
+            expires 0;
+            add_header Cache-Control "no-cache, no-store, must-revalidate";
+        }
+    }
+    
+    # Health check
+    location /nginx-health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}
+
+# Specific configuration for main domain (app subdomain)
+server {
+    listen 443 ssl http2;
+    server_name app.dev.uggla.uamils.com;
+    
+    # SSL Configuration (same as above)
+    ssl_certificate /etc/letsencrypt/live/dev.uggla.uamils.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/dev.uggla.uamils.com/privkey.pem;
+    
+    # Include all the same configurations as above
+    include /etc/nginx/conf.d/common-ssl.conf;
+    
+    # Set default tenant
+    set $tenant "app";
+    
+    # Include common proxy configurations
+    include /etc/nginx/conf.d/common-proxy.conf;
+}