smartsoltech_site/nginx-smartsoltech-fixed.conf

# SmartSolTech Nginx Configuration
# Исправленная версия с SSL сертификатами и CSRF headers

upstream django_app {
    server localhost:8000;
}

# HTTP → HTTPS редирект
server {
    listen 80;
    listen [::]:80;
    server_name smartsoltech.kr www.smartsoltech.kr;
    
    # Let's Encrypt challenge
    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
    
    location / {
        return 301 https://$host$request_uri;
    }
}

# Редирект с www на non-www (HTTPS)
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.smartsoltech.kr;
    
    # SSL сертификаты
    ssl_certificate /etc/letsencrypt/live/www.smartsoltech.kr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.smartsoltech.kr/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    return 301 https://smartsoltech.kr$request_uri;
}

# Основной HTTPS сервер
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name smartsoltech.kr;
    
    # SSL сертификаты
    ssl_certificate /etc/letsencrypt/live/www.smartsoltech.kr/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.smartsoltech.kr/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    # Максимальный размер загружаемых файлов
    client_max_body_size 100M;
    
    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    
    # Логи
    access_log /var/log/nginx/smartsoltech_access.log;
    error_log /var/log/nginx/smartsoltech_error.log;
    
    # Статические файлы - ВАЖНО: должны быть ПЕРЕД location /
    location /static/ {
        alias /opt/smartsoltech_site/smartsoltech/staticfiles/;
        expires 30d;
        add_header Cache-Control "public, immutable";
        access_log off;
    }
    
    # Медиа файлы
    location /media/ {
        alias /opt/smartsoltech_site/smartsoltech/media/;
        expires 7d;
        add_header Cache-Control "public";
        access_log off;
    }
    
    # Прокси к Django приложению
    location / {
        proxy_pass http://django_app;
        
        # Заголовки для Django
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # ВАЖНО для CSRF: Django должен знать оригинальный протокол
        proxy_set_header X-Forwarded-Host $host;
        
        proxy_redirect off;
        proxy_buffering off;
        
        # Таймауты
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
    }
    
    # Deny access to sensitive files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
}