<!-- status: canonical -->
<!-- lastReviewed: 2026-05-25 -->

# Nginx-Konfiguration (Reverse Proxy)

Jede `platform-core`-VM (main + int) nutzt nginx als Reverse Proxy vor uvicorn (Port 8000).

## Relevante Einstellungen

| Einstellung | Wert | Zweck |
|---|---|---|
| `client_max_body_size` | `0` (unbegrenzt) | Kein Upload-Limit (Dateien, DB-Migration-Restore) |
| `proxy_pass` | `http://127.0.0.1:8000` | Weiterleitung an uvicorn |
| `proxy_http_version` | `1.1` | Erforderlich fuer WebSocket-Upgrade |
| `Upgrade` / `Connection` | `$http_upgrade` / `"upgrade"` | WebSocket-Support (STT-Streaming) |
| `proxy_read_timeout` | `600s` | Lange AI/STT-Requests |
| `proxy_send_timeout` | `600s` | Lange Uploads |
| `proxy_request_buffering` | `off` | Streaming-Uploads ohne Pufferung |
| SSL | Let's Encrypt (certbot) | TLS-Terminierung |

## Site-Config: porta-main-platform-core

Datei auf VM: `/etc/nginx/sites-enabled/gateway`

```nginx
server {
    listen 80;
    server_name api.poweron.swiss;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api.poweron.swiss;
    ssl_certificate /etc/letsencrypt/live/api.poweron.swiss/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.poweron.swiss/privkey.pem;

    client_max_body_size 0;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }
}
```

## Site-Config: porta-int-platform-core

Datei auf VM: `/etc/nginx/sites-enabled/gateway`

```nginx
server {
    listen 80;
    server_name api-int.poweron.swiss;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name api-int.poweron.swiss;
    ssl_certificate /etc/letsencrypt/live/api-int.poweron.swiss/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api-int.poweron.swiss/privkey.pem;

    client_max_body_size 0;

    location / {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_request_buffering off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }
}
```

## Einrichtung auf neuer VM

```bash
# 1. Nginx installieren
sudo apt update && sudo apt install -y nginx

# 2. Site-Config anlegen
sudo nano /etc/nginx/sites-enabled/gateway
# (Inhalt von oben einfuegen)

# 3. Default-Site entfernen
sudo rm -f /etc/nginx/sites-enabled/default

# 4. nginx.conf: client_max_body_size setzen
# In /etc/nginx/nginx.conf im http-Block einfuegen:
#   client_max_body_size 0;

# 5. SSL-Zertifikat holen
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d api-int.poweron.swiss

# 6. Config testen + laden
sudo nginx -t && sudo systemctl reload nginx

# 7. Auto-Renewal pruefen
sudo certbot renew --dry-run
```