nginx-conf/watch-party.conf

# /etc/nginx/sites-available/watch-party (CLEAN)

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

############################
# HTTP: ACME + Redirect
############################
server {
    listen 80;                     # IPv4 only
    server_name nik4nao.xyz;

    # Let’s Encrypt HTTP-01 challenge lives on HTTP
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
        default_type "text/plain";
        allow all;
    }

    # Serve /robots.txt from disk regardless of proxying
    location = /robots.txt {
        alias /var/www/html/robots.txt;
        default_type text/plain;
    }

    # Redirect everything else to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

############################
# HTTPS: Proxy /watch-party/
############################
server {
    listen 443 ssl;
    server_name nik4nao.xyz;

    # --- Certbot-managed TLS files (must exist) ---
    ssl_certificate     /etc/letsencrypt/live/nik4nao.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/nik4nao.xyz/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam         /etc/letsencrypt/ssl-dhparams.pem;
    add_header X-Robots-Tag "noindex, nofollow, noimageindex, nosnippet, noarchive" always;

    # Enforce trailing slash
    location = /watch-party { return 301 /watch-party/; }
    location = / { return 302 /watch-party/; }

    # IMPORTANT: no URI on proxy_pass so upstream receives /watch-party/ prefix
    location /watch-party/ {
        proxy_pass http://192.168.7.96:3000;
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade    $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # NEW: forward API to the same frontend (which then forwards to backend)
    location /api/ {
        proxy_pass http://192.168.7.96:3000;   # hits container's /api
        proxy_set_header Host              $host;
        proxy_set_header X-Real-IP         $remote_addr;
        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Serve /robots.txt on HTTPS
    location = /robots.txt {
        alias /var/www/html/robots.txt;
        default_type text/plain;
    }

    # Don’t serve anything else
    location / {
        return 404;
    }
}