# Wildcard subdomain routing for Nexus POS # DNS: *.nexusautoparts.com -> server IP (Cloudflare wildcard) # Rate limiting zone limit_req_zone $binary_remote_addr zone=pos_login:10m rate=10r/s; # Upstream backends upstream nexus_main { server 127.0.0.1:5000; } upstream nexus_pos { server 127.0.0.1:5001; } upstream nexus_quart { server 127.0.0.1:5002; } # Gzip compression gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; # Main site (no subdomain) server { listen 80; server_name nexusautoparts.com www.nexusautoparts.com; # POS static assets — served directly by nginx (not proxied) # ^~ prevents regex locations from intercepting these requests location ^~ /pos/static/ { alias /home/Autopartes/pos/static/; expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; access_log off; } location / { proxy_pass http://nexus_main; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } } # POS subdomains (wildcard) server { listen 80; server_name ~^(?.+)\.nexusautoparts\.com$; # Security headers add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options SAMEORIGIN always; # POS static assets — served directly by nginx (not proxied) # ^~ prevents regex locations from intercepting these requests location ^~ /pos/static/ { alias /home/Autopartes/pos/static/; expires 6M; add_header Cache-Control "public, immutable"; add_header X-Content-Type-Options nosniff always; access_log off; } location / { proxy_pass http://nexus_pos; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; proxy_connect_timeout 10s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; } # Async catalog search via Quart+asyncpg (non-blocking I/O) location /pos/api/catalog/async-search { proxy_pass http://nexus_quart; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; proxy_connect_timeout 5s; proxy_send_timeout 30s; proxy_read_timeout 30s; proxy_buffering off; } # Rate limit login endpoint location /pos/api/auth/login { limit_req zone=pos_login burst=5 nodelay; proxy_pass http://nexus_pos; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Tenant-Subdomain $tenant; } }