# ============================================================ # Spanglish Community - Backend API # api.spanglishcommunity.com # ============================================================ server { listen 80; server_name api.spanglishcommunity.com; # ACME location /.well-known/acme-challenge/ { root /var/www/html; } # Force HTTPS location / { return 301 https://api.spanglishcommunity.com$request_uri; } } server { listen 443 ssl; http2 on; server_name api.spanglishcommunity.com; # Upload size limit (avoid nginx 413 on media uploads) # Keep this >= backend MEDIA_MAX_UPLOAD_MB (default 10MB). client_max_body_size 20m; # SSL ssl_certificate /etc/letsencrypt/live/spanglishcommunity.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/spanglishcommunity.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Security (API) add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; # Logs access_log /var/log/nginx/spanglish_api_access.log; error_log /var/log/nginx/spanglish_api_error.log; # CORS Configuration (set once, used everywhere) set $cors_origin ""; if ($http_origin ~* "^https://(www\.)?spanglishcommunity\.com$") { set $cors_origin $http_origin; } # Add CORS headers to all responses (including nginx-generated errors) add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; # Ensure 413 returns JSON + CORS (browser otherwise reports "CORS blocked") error_page 413 = @payload_too_large; location @payload_too_large { default_type application/json; return 413 '{"error":"Payload too large (413). Please upload a smaller file."}'; } location / { limit_req zone=spanglish_api_limit burst=50 nodelay; # Handle preflight OPTIONS requests # NOTE: add_header inside if{} does NOT inherit server-level headers, # so we must repeat all CORS headers here. if ($request_method = 'OPTIONS') { add_header 'Access-Control-Allow-Origin' $cors_origin always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PATCH, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization' always; add_header 'Access-Control-Allow-Credentials' 'true' always; add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always; add_header 'Access-Control-Max-Age' 86400 always; add_header 'Content-Type' 'text/plain; charset=utf-8'; add_header 'Content-Length' 0; return 204; } proxy_pass http://spanglish_backend; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Strip CORS headers from backend (nginx handles CORS at server level) proxy_hide_header 'Access-Control-Allow-Origin'; proxy_hide_header 'Access-Control-Allow-Methods'; proxy_hide_header 'Access-Control-Allow-Headers'; proxy_hide_header 'Access-Control-Allow-Credentials'; proxy_hide_header 'Access-Control-Expose-Headers'; proxy_read_timeout 300s; proxy_connect_timeout 300s; } }