# ── Upstream: Next.js frontend ── upstream frontend { server clube67-frontend:3000; } # ── Upstream: Express API backend ── upstream backend { server clube67-backend:3001; } server { listen 80; server_name clube67.com www.clube67.com; # Limite de upload para arquivos client_max_body_size 10M; # ── Security Headers ── add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # ── Gzip ── gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 256; gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml image/svg+xml font/woff2; # ── Uploads (static) ── location /uploads/ { alias /www/wwwroot/clube67.com/uploads/; expires 30d; add_header Cache-Control "public, immutable"; access_log off; } # ── API proxy ── location /api/ { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; autoindex off; } # ── WebSocket ── location /socket.io/ { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 86400s; } # ── Next.js static assets ── location /_next/static/ { proxy_pass http://frontend; expires 365d; add_header Cache-Control "public, immutable"; access_log off; } # ── Frontend (catch-all) ── location / { proxy_pass http://frontend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } # ── Disable hidden files ── location ~ /\. { deny all; access_log off; log_not_found off; } }