# ============================================================================ # Nginx — Peninsula Fitness (reverse proxy a la app Node/Astro en 127.0.0.1:4321) # ---------------------------------------------------------------------------- # Instalación: # sudo cp deploy/nginx/peninsulafitness.conf /etc/nginx/sites-available/peninsulafitness # sudo ln -s /etc/nginx/sites-available/peninsulafitness /etc/nginx/sites-enabled/ # sudo nginx -t && sudo systemctl reload nginx # # TLS: primero deja SOLO el server :80 de abajo (sin el bloque 443), recarga, # y luego ejecuta: # sudo certbot --nginx -d peninsulafitness.com.mx -d www.peninsulafitness.com.mx # Certbot inyecta automáticamente el bloque 443 + la redirección. Si prefieres # gestionarlo a mano, descomenta el bloque HTTPS de más abajo tras obtener el cert. # ============================================================================ # --- Límite de tasa por IP (defensa principal; la app añade defensa en profundidad) --- limit_req_zone $binary_remote_addr zone=pf_general:10m rate=20r/s; limit_req_zone $binary_remote_addr zone=pf_auth:10m rate=1r/s; # --- Upstream de la app Node (standalone adapter) --- upstream peninsula_app { server 127.0.0.1:4321; keepalive 32; } # --- Compresión --- gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types text/plain text/css text/javascript application/javascript application/json application/xml image/svg+xml application/manifest+json font/woff2; # ============================================================================ # HTTP (puerto 80) — sirve el reto ACME y redirige a HTTPS # ============================================================================ server { listen 80; listen [::]:80; server_name peninsulafitness.com.mx www.peninsulafitness.com.mx; # Permite la validación de Certbot (webroot) location /.well-known/acme-challenge/ { root /var/www/letsencrypt; } # El resto va a HTTPS (Certbot añade/gestiona esto automáticamente) location / { return 301 https://$host$request_uri; } } # ============================================================================ # HTTPS (puerto 443) — descomenta DESPUÉS de tener el certificado # (o deja que `certbot --nginx` lo genere por ti). # ============================================================================ # server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # server_name peninsulafitness.com.mx www.peninsulafitness.com.mx; # # ssl_certificate /etc/letsencrypt/live/peninsulafitness.com.mx/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/peninsulafitness.com.mx/privkey.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_prefer_server_ciphers off; # ssl_session_cache shared:SSL:10m; # ssl_session_timeout 1d; # # # Tamaño máximo de subida (imágenes de producto: la app limita a 5 MB) ---- # client_max_body_size 6m; # # # Cabeceras de seguridad de transporte (la CSP la pone la app) # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # # # ---- Assets de build con hash: cache agresiva e inmutable ---- # location /_astro/ { # proxy_pass http://peninsula_app; # proxy_cache_valid 200 365d; # add_header Cache-Control "public, max-age=31536000, immutable"; # } # # # ---- Imágenes subidas (servidas por la app desde fuera del root) ---- # location /media/ { # proxy_pass http://peninsula_app; # add_header Cache-Control "public, max-age=86400"; # } # # # ---- Endpoints de autenticación: límite estricto ---- # location /api/auth/ { # limit_req zone=pf_auth burst=5 nodelay; # proxy_pass http://peninsula_app; # include /etc/nginx/proxy_params; # proxy_set_header X-Forwarded-Proto $scheme; # } # # # ---- Todo lo demás ---- # location / { # limit_req zone=pf_general burst=40 nodelay; # proxy_pass http://peninsula_app; # proxy_http_version 1.1; # proxy_set_header Connection ""; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # proxy_read_timeout 60s; # } # }