Nginx Configuration
Nginx serves as a reverse proxy for Dharini, routing traffic to the appropriate Docker containers and handling SSL termination.
Installation
Section titled “Installation”Install Nginx on your EC2 instance:
sudo apt-get updatesudo apt-get install -y nginxEnable and start Nginx:
sudo systemctl enable nginxsudo systemctl start nginxConfiguration Files
Section titled “Configuration Files”Nginx configuration files are located in:
/etc/nginx/sites-available/- Available site configurations/etc/nginx/sites-enabled/- Enabled site configurations (symlinks)
Production Configuration
Section titled “Production Configuration”Create a new site configuration:
sudo nano /etc/nginx/sites-available/dharini-prodPath-Based Routing
Section titled “Path-Based Routing”This configuration routes different paths to different services:
server { server_name in.dharini.artpark.ai;
# Frontend - Main application location / { proxy_pass http://YOUR_PRIVATE_IP:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
# Redirect /api to /api/docs location = /api { return 301 /api/docs; }
# Backend API location /api/ { proxy_pass http://YOUR_PRIVATE_IP:4000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
# APK Download Server location /download/ { proxy_pass http://YOUR_PRIVATE_IP:3001/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
listen 80;}Important Notes:
-
Path Stripping: The configuration above strips the path prefix when forwarding:
- Client request:
in.dharini.artpark.ai/api/users - Backend receives:
/users
- Client request:
-
Private IP: Replace
YOUR_PRIVATE_IPwith your EC2 instance’s private IP -
API Root Redirect: The
/apilocation redirects to/api/docs(Swagger documentation) to avoid showing a broken URL -
Port Mapping:
:3000- Frontend (Next.js):4000- Backend (NestJS API):3001- APK Server
Subdomain-Based Routing
Section titled “Subdomain-Based Routing”Alternative configuration using subdomains:
# Frontendserver { server_name in.dharini.artpark.ai;
location / { proxy_pass http://YOUR_PRIVATE_IP:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
listen 80;}
# APIserver { server_name api.in.dharini.artpark.ai;
location / { proxy_pass http://YOUR_PRIVATE_IP:4000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
listen 80;}
# APK Downloadsserver { server_name download.in.dharini.artpark.ai;
location / { proxy_pass http://YOUR_PRIVATE_IP:3001/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
listen 80;}Enable the Configuration
Section titled “Enable the Configuration”Create a symlink to enable the site:
sudo ln -s /etc/nginx/sites-available/dharini-prod /etc/nginx/sites-enabled/Test the configuration:
sudo nginx -tIf the test passes, reload Nginx:
sudo systemctl reload nginxSSL Configuration with Certbot
Section titled “SSL Configuration with Certbot”Install Certbot:
sudo apt-get install -y certbot python3-certbot-nginxGenerate SSL certificates:
# For path-based routing (single domain)sudo certbot --nginx -d in.dharini.artpark.ai
# For subdomain-based routing (multiple domains)sudo certbot --nginx -d in.dharini.artpark.ai -d api.in.dharini.artpark.ai -d download.in.dharini.artpark.aiCertbot will automatically:
- Generate SSL certificates
- Update Nginx configuration
- Set up automatic renewal
Your configuration will be updated to:
server { server_name in.dharini.artpark.ai;
location / { proxy_pass http://YOUR_PRIVATE_IP:3000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
# Redirect /api to /api/docs location = /api { return 301 /api/docs; }
location /api/ { proxy_pass http://YOUR_PRIVATE_IP:4000/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
location /download/ { proxy_pass http://YOUR_PRIVATE_IP:3001/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/in.dharini.artpark.ai/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/in.dharini.artpark.ai/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot}
# HTTP to HTTPS redirectserver { if ($host = in.dharini.artpark.ai) { return 301 https://$host$request_uri; } # managed by Certbot
server_name in.dharini.artpark.ai; listen 80; return 404; # managed by Certbot}Certificate Renewal
Section titled “Certificate Renewal”Certbot sets up automatic renewal via cron. Test renewal:
sudo certbot renew --dry-runAdvanced Configuration
Section titled “Advanced Configuration”File Upload Limits
Section titled “File Upload Limits”For handling large file uploads:
server { # ... existing config ...
client_max_body_size 100M;
location /api/media/upload { proxy_pass http://172.31.6.216:4000/api/media/upload; client_max_body_size 100M; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
# Timeouts for large uploads proxy_read_timeout 300; proxy_connect_timeout 300; proxy_send_timeout 300; }}WebSocket Support
Section titled “WebSocket Support”If you need WebSocket support:
location /ws/ { proxy_pass http://172.31.6.216:4000/ws/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;}Rate Limiting
Section titled “Rate Limiting”Protect against abuse:
# Define rate limit zonelimit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
server { # ... existing config ...
location /api/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://YOUR_PRIVATE_IP:4000/; # ... other proxy settings ... }}Logging
Section titled “Logging”Custom log format:
log_format detailed '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$request_time';
server { access_log /var/log/nginx/dharini-access.log detailed; error_log /var/log/nginx/dharini-error.log warn;
# ... rest of config ...}Troubleshooting
Section titled “Troubleshooting”Test Configuration
Section titled “Test Configuration”sudo nginx -tView Logs
Section titled “View Logs”# Access logssudo tail -f /var/log/nginx/access.log
# Error logssudo tail -f /var/log/nginx/error.logReload Configuration
Section titled “Reload Configuration”sudo systemctl reload nginxRestart Nginx
Section titled “Restart Nginx”sudo systemctl restart nginxCheck Status
Section titled “Check Status”sudo systemctl status nginxSecurity Headers
Section titled “Security Headers”Add security headers to your configuration:
server { # ... existing config ...
# Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;}Next Steps
Section titled “Next Steps”- Database Setup - Configure PostgreSQL and RDS
- Troubleshooting - Common issues and solutions