# Nginx Configuration for FetchML

This directory contains nginx configurations for FetchML.

## Files

- **`fetchml-site.conf`** - Ready-to-use site configuration (recommended)
- **`nginx-secure.conf`** - Full standalone nginx config (advanced)
- **`setup-nginx.sh`** - Helper script for easy installation

## Quick Setup

### Option 1: Automated (Recommended)

```bash
sudo ./nginx/setup-nginx.sh
```

This will:
- Detect your nginx setup (Debian or RHEL style)
- Prompt for your domain and SSL certificates  
- Install the configuration
- Test and reload nginx

### Option 2: Manual

**For Debian/Ubuntu:**
```bash
# 1. Edit fetchml-site.conf and change:
#    - ml.example.com to your domain
#    - SSL certificate paths
#    - Port if not using 9102

# 2. Install
sudo cp nginx/fetchml-site.conf /etc/nginx/sites-available/fetchml
sudo ln -s /etc/nginx/sites-available/fetchml /etc/nginx/sites-enabled/

# 3. Test and reload
sudo nginx -t
sudo systemctl reload nginx
```

**For RHEL/Rocky/CentOS:**
```bash
# 1. Edit fetchml-site.conf (same as above)

# 2. Install
sudo cp nginx/fetchml-site.conf /etc/nginx/conf.d/fetchml.conf

# 3. Test and reload
sudo nginx -t
sudo systemctl reload nginx
```

## Configuration Details

### Endpoints

- `/ws` - WebSocket API (rate limited: 5 req/s)
- `/api/` - REST API (rate limited: 10 req/s)  
- `/health` - Health check
- `/grafana/` - Grafana (commented out by default)

### Security Features

- TLSv1.2 and TLSv1.3 only
- Security headers (HSTS, CSP, etc.)
- Rate limiting per endpoint
- Request size limits (10MB)
- Version hiding

### What to Change

Before using, update these values in `fetchml-site.conf`:

1. **Domain**: Replace `ml.example.com` with your domain
2. **SSL Certificates**: Update paths to your actual certificates
3. **Port**: Change `9102` if using a different port
4. **Grafana**: Uncomment if you want to expose it

## SSL Certificates

### Self-Signed (Dev/Testing)

```bash
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
  -keyout /etc/ssl/private/fetchml.key \
  -out /etc/ssl/certs/fetchml.crt \
  -subj "/CN=ml.example.com"
```

### Let's Encrypt (Production)

```bash
sudo apt-get install certbot python3-certbot-nginx
sudo certbot --nginx -d ml.example.com
```

## Troubleshooting

### Test Configuration
```bash
sudo nginx -t
```

### Check Logs
```bash
sudo tail -f /var/log/nginx/fetchml_error.log
sudo tail -f /var/log/nginx/fetchml_access.log
```

### Verify Proxy
```bash
curl -I https://ml.example.com/health
```

### Common Issues

**"Permission denied" error**: Check that nginx user can access SSL certificates
```bash
sudo chmod 644 /etc/ssl/certs/fetchml.crt
sudo chmod 600 /etc/ssl/private/fetchml.key
```

**WebSocket not working**: Ensure your firewall allows the connection and backend is running
```bash
# Check backend
curl http://localhost:9102/health

# Check firewall
sudo firewall-cmd --list-all
```

## Integration with Existing Nginx

If you already have nginx running, just drop `fetchml-site.conf` into your sites directory. It won't conflict with other sites.

The configuration is self-contained and only handles the specified `server_name`.