Fix jwt-token

ssl/nginx-ssl-setup.sh

@@ -15,6 +15,7 @@ CONFIG_NAME="$DOMAIN"
 # Backend and frontend ports (from docker-compose)
 BACKEND_PORT="${BACKEND_PORT:-3002}"
 FRONTEND_PORT="${FRONTEND_PORT:-3001}"
+MANAGEMENT_PORT="${MANAGEMENT_PORT:-3003}"
 
 log() {
     echo "[$(date '+%Y-%m-%d %H:%M:%S')] $1"
@@ -160,6 +161,75 @@ server {
     }
 }
 
+# HTTPS server for management subdomain
+server {
+    listen 443 ssl http2;
+    server_name management.$DOMAIN;
+    
+    # SSL Configuration
+    ssl_certificate $CERT_PATH/fullchain.pem;
+    ssl_certificate_key $CERT_PATH/privkey.pem;
+    
+    # SSL Security Settings
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+    ssl_prefer_server_ciphers off;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    
+    # Management portal - serve from management container
+    location / {
+        proxy_pass http://127.0.0.1:$MANAGEMENT_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_cache_bypass \$http_upgrade;
+        
+        # Timeouts
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+    
+    # API routes - proxy to backend (management uses same API)
+    location /api/ {
+        proxy_pass http://127.0.0.1:$BACKEND_PORT;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade \$http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host \$host;
+        proxy_set_header X-Real-IP \$remote_addr;
+        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto \$scheme;
+        proxy_cache_bypass \$http_upgrade;
+        
+        # Timeouts
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+    
+    # Static files for management portal
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)\$ {
+        proxy_pass http://127.0.0.1:$MANAGEMENT_PORT;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}
+
 # HTTPS server for wildcard subdomains (multi-tenant)
 server {
     listen 443 ssl http2;
@@ -291,7 +361,10 @@ show_results() {
     echo "🌐 Your site is now available at:"
     echo "   https://$DOMAIN"
     echo ""
-    echo "🔐 Multi-tenant subdomains:"
+    echo "<EFBFBD>️  Management portal:"
+    echo "   https://management.$DOMAIN"
+    echo ""
+    echo "<22>🔐 Multi-tenant subdomains:"
     echo "   https://tenant1.$DOMAIN"
     echo "   https://tenant2.$DOMAIN"
     echo "   https://any-name.$DOMAIN"
@@ -306,6 +379,7 @@ show_results() {
     echo "   ✅ Security headers"
     echo "   ✅ Wildcard certificate support"
     echo "   ✅ Multi-tenant routing"
+    echo "   ✅ Dedicated management portal"
     echo ""
     echo "📝 Configuration file:"
     echo "   $SITES_AVAILABLE/$CONFIG_NAME"
@@ -356,5 +430,6 @@ case "${1:-setup}" in
         echo "  DOMAIN           Domain name (default: dev.uggla.uamils.com)"
         echo "  BACKEND_PORT     Backend port (default: 3002)"
         echo "  FRONTEND_PORT    Frontend port (default: 3001)"
+        echo "  MANAGEMENT_PORT  Management portal port (default: 3003)"
         ;;
 esac