events { worker_connections 1024; } http { upstream api { server mm-madam-api:8000; } # Rate limiting limit_req_zone $binary_remote_addr zone=chat:10m rate=10r/m; limit_req_zone $binary_remote_addr zone=widget:10m rate=100r/m; server { listen 80; server_name localhost; # Security headers add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; # CORS headers for widget location ~* \.(js|css)$ { add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type"; # Cache control expires 1h; add_header Cache-Control "public, immutable"; limit_req zone=widget burst=20 nodelay; } # Serve chat widget location /chat-widget.js { root /usr/share/nginx/html; try_files $uri =404; } # Serve demo page location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; } # API proxy location /api/ { # Rate limiting for API calls limit_req zone=chat burst=5 nodelay; # CORS headers add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; # Handle preflight if ($request_method = 'OPTIONS') { return 204; } # Proxy settings proxy_pass http://api/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Health check endpoint location /health { proxy_pass http://api/health; access_log off; } } }