# Wildcard subdomain routing for Nexus POS # DNS: *.nexusautoparts.com -> server IP (Cloudflare wildcard) # Rate limiting zone limit_req_zone $binary_remote_addr zone=pos_login:10m rate=10r/s; # Upstream backends upstream nexus_main { server 127.0.0.1:5000; } upstream nexus_pos { server 127.0.0.1:5001; } upstream nexus_quart { server 127.0.0.1:5002; } # Gzip compression gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; # Main site (no subdomain) server { listen 80; server_name nexusautoparts.com www.nexusautoparts.com; # Static asset caching location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; } # Auto-serve minified JS/CSS when available (transparent to templates) location ~* ^(.+)\.js$ { try_files $1.min.js $uri =404; expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; } location ~* ^(.+)\.css$ { try_files $1.min.css $uri =404; expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; } location / { proxy_pass http://nexus_main; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } } # POS subdomains (wildcard) server { listen 80; server_name ~^(?.+)\.nexusautoparts\.com$; # Security headers add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options SAMEORIGIN always; # Static asset caching location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; } location / { proxy_pass http://nexus_pos; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } # Async catalog search via Quart+asyncpg (non-blocking I/O) location /pos/api/catalog/async-search { proxy_pass http://nexus_quart; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; proxy_connect_timeout 5s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering off; } # Rate limit login endpoint location /pos/api/auth/login { limit_req zone=pos_login burst=5 nodelay; proxy_pass http://nexus_pos; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; } }