worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; keepalive_timeout 65; gzip on; gzip_types text/plain application/json application/javascript; client_max_body_size 10m; # Rate limiting limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/s; # Upstream definitions - using K8s service DNS names # keepalive enables persistent connections to reduce latency upstream user_service { server user-service.warmcheck.svc.cluster.local:8081; keepalive 16; } upstream interaction_service { server interaction-service.warmcheck.svc.cluster.local:8082; keepalive 16; } upstream social_service { server social-service.warmcheck.svc.cluster.local:8083; keepalive 8; } upstream push_service { server push-service.warmcheck.svc.cluster.local:8084; keepalive 8; } upstream ws_gateway { server gateway.warmcheck.svc.cluster.local:8085; } upstream admin_service { server admin-service.warmcheck.svc.cluster.local:8086; keepalive 4; } # HTTPS server - for external access via HK CVM nginx server { listen 443 ssl; server_name api.warmcheck.app; ssl_certificate /etc/nginx/ssl/tls.crt; ssl_certificate_key /etc/nginx/ssl/tls.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Health check location /health { return 200 '{"status":"ok","gateway":"nginx","ssl":true}'; add_header Content-Type application/json; } # Auth routes (stricter rate limit) location /auth/ { limit_req zone=auth burst=10 nodelay; proxy_pass http://user_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # User service routes location ~ ^/api/v1/(user|sign|growth|museum|feedback)(/|$) { limit_req zone=api burst=20 nodelay; proxy_pass http://user_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # User service routes (emergency contact) location ~ ^/api/v1/users/ { limit_req zone=api burst=20 nodelay; proxy_pass http://user_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # Interaction service routes location ~ ^/api/v1/(story-card|care-card|urgent-care)/ { limit_req zone=api burst=20 nodelay; proxy_pass http://interaction_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # Social service routes location ~ ^/api/v1/(magnet|chat)/ { limit_req zone=api burst=20 nodelay; proxy_pass http://social_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # Push service routes location ~ ^/api/v1/notification/ { limit_req zone=api burst=20 nodelay; proxy_pass http://push_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # Admin service routes (report & feedback submission from app) location ~ ^/api/v1/(report|feedback)$ { limit_req zone=api burst=20 nodelay; proxy_pass http://admin_service; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 5s; proxy_read_timeout 15s; proxy_send_timeout 10s; } # WebSocket gateway location /ws { proxy_pass http://ws_gateway; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 86400; } # AI service routes location /ai/ { limit_req zone=api burst=10 nodelay; proxy_pass http://ai-service.warmcheck.svc.cluster.local:5001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Analytics service routes location /analytics/ { limit_req zone=api burst=10 nodelay; proxy_pass http://analytics-service.warmcheck.svc.cluster.local:5003; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Admin service routes (UI + API) location /admin { proxy_pass http://admin_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # HTTP server - for internal health checks and backward compatibility server { listen 80; server_name api.warmcheck.app; # Health check location /health { return 200 '{"status":"ok","gateway":"nginx"}'; add_header Content-Type application/json; } # Auth routes (stricter rate limit) location /auth/ { limit_req zone=auth burst=10 nodelay; proxy_pass http://user_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # User service routes (feedback uses exact path without trailing slash) location ~ ^/api/v1/(user|sign|growth|museum|feedback)(/|$) { limit_req zone=api burst=20 nodelay; proxy_pass http://user_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # User service routes (emergency contact) location ~ ^/api/v1/users/ { limit_req zone=api burst=20 nodelay; proxy_pass http://user_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Interaction service routes location ~ ^/api/v1/(story-card|care-card|urgent-care)/ { limit_req zone=api burst=20 nodelay; proxy_pass http://interaction_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Social service routes location ~ ^/api/v1/(magnet|chat)/ { limit_req zone=api burst=20 nodelay; proxy_pass http://social_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Push service routes location ~ ^/api/v1/notification/ { limit_req zone=api burst=20 nodelay; proxy_pass http://push_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Admin service routes (report & feedback submission from app) location ~ ^/api/v1/(report|feedback)$ { limit_req zone=api burst=20 nodelay; proxy_pass http://admin_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # WebSocket gateway location /ws { proxy_pass http://ws_gateway; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 86400; } # AI service routes location /ai/ { limit_req zone=api burst=10 nodelay; proxy_pass http://ai-service.warmcheck.svc.cluster.local:5001; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Analytics service routes location /analytics/ { limit_req zone=api burst=10 nodelay; proxy_pass http://analytics-service.warmcheck.svc.cluster.local:5003; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # Admin service routes (UI + API) location /admin { proxy_pass http://admin_service; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } }