Adolfo Delorenzo
92fd390866
This adds a complete production deployment setup using Gunicorn as the WSGI server, replacing Flask's development server. Key components: - Gunicorn configuration with optimized worker settings - Support for sync, threaded, and async (gevent) workers - Automatic worker recycling to prevent memory leaks - Increased timeouts for audio processing - Production-ready logging and monitoring Deployment options: 1. Docker/Docker Compose for containerized deployment 2. Systemd service for traditional deployment 3. Nginx reverse proxy configuration 4. SSL/TLS support Production features: - wsgi.py entry point for WSGI servers - gunicorn_config.py with production settings - Dockerfile with multi-stage build - docker-compose.yml with full stack (Redis, PostgreSQL) - nginx.conf with caching and security headers - systemd service with security hardening - deploy.sh automated deployment script Configuration: - .env.production template with all settings - Support for environment-based configuration - Separate requirements-prod.txt - Prometheus metrics endpoint (/metrics) Monitoring: - Health check endpoints for liveness/readiness - Prometheus-compatible metrics - Structured logging - Memory usage tracking - Request counting Security: - Non-root user in Docker - Systemd security restrictions - Nginx security headers - File permission hardening - Resource limits Documentation: - Comprehensive PRODUCTION_DEPLOYMENT.md - Scaling strategies - Performance tuning guide - Troubleshooting section Also fixed memory_manager.py GC stats collection error. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
108 lines
3.3 KiB
Nginx Configuration File
108 lines
3.3 KiB
Nginx Configuration File
upstream talk2me {
|
|
server talk2me:5005 fail_timeout=0;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
# Redirect to HTTPS in production
|
|
# return 301 https://$server_name$request_uri;
|
|
|
|
# Security headers
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-Frame-Options DENY always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; media-src 'self';" always;
|
|
|
|
# File upload limits
|
|
client_max_body_size 50M;
|
|
client_body_buffer_size 1M;
|
|
client_body_timeout 120s;
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 120s;
|
|
proxy_send_timeout 120s;
|
|
proxy_read_timeout 120s;
|
|
send_timeout 120s;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_min_length 1024;
|
|
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json application/javascript;
|
|
|
|
# Static files
|
|
location /static {
|
|
alias /app/static;
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
|
|
# Gzip static files
|
|
gzip_static on;
|
|
}
|
|
|
|
# Service worker
|
|
location /service-worker.js {
|
|
proxy_pass http://talk2me;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
|
}
|
|
|
|
# WebSocket support for future features
|
|
location /ws {
|
|
proxy_pass http://talk2me;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket timeouts
|
|
proxy_read_timeout 86400s;
|
|
proxy_send_timeout 86400s;
|
|
}
|
|
|
|
# Health check (don't log)
|
|
location /health {
|
|
proxy_pass http://talk2me/health;
|
|
access_log off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
}
|
|
|
|
# Main application
|
|
location / {
|
|
proxy_pass http://talk2me;
|
|
proxy_redirect off;
|
|
proxy_buffering off;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $server_name;
|
|
|
|
# Don't buffer responses
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
}
|
|
|
|
# HTTPS configuration (uncomment for production)
|
|
# server {
|
|
# listen 443 ssl http2;
|
|
# server_name your-domain.com;
|
|
#
|
|
# ssl_certificate /etc/nginx/ssl/cert.pem;
|
|
# ssl_certificate_key /etc/nginx/ssl/key.pem;
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
# ssl_prefer_server_ciphers off;
|
|
#
|
|
# # Include all location blocks from above
|
|
# } |