# 04 — SWAG Nginx Proxy Configs (Prod) ## Context Same template files as test (`swag/proxy-confs/*.conf.tpl`), different env vars. The pipeline processes templates with prod-specific subdomain values. ## Required env vars (in `.env` on storagebox `prod/secrets/iklim.co/.env.prod`) ```bash API_SUBDOMAIN=api.iklim.co APIGW_SUBDOMAIN=apigw.iklim.co RABBITMQ_SUBDOMAIN=rabbitmq.iklim.co GRAFANA_SUBDOMAIN=grafana.iklim.co RESTRICTED_IP_1=78.187.87.109 RESTRICTED_IP_2=95.70.151.248 ``` ## Template files (already created in test step 04) - `swag/site-confs/default.conf` - `swag/proxy-confs/api.conf.tpl` - `swag/proxy-confs/apigw.conf.tpl` - `swag/proxy-confs/rabbitmq.conf.tpl` - `swag/proxy-confs/grafana.conf.tpl` No new files to create — the same templates work for both environments. ## Deploy step (handled by pipeline — see `08-deploy-pipeline-update.md`) ```bash set -a; . ./.env; set +a export RESTRICTED_IP_1="78.187.87.109" export RESTRICTED_IP_2="95.70.151.248" sudo mkdir -p /opt/iklimco/swag/proxy-confs /opt/iklimco/swag/site-confs for tpl in swag/proxy-confs/*.conf.tpl; do out="/opt/iklimco/swag/proxy-confs/$(basename "${tpl%.tpl}")" envsubst < "$tpl" | sudo tee "$out" > /dev/null echo "✅ $out" done sudo cp swag/site-confs/default.conf /opt/iklimco/swag/site-confs/default.conf ``` With `API_SUBDOMAIN=api.iklim.co`, the output file `/opt/iklimco/swag/proxy-confs/api.conf` will contain `server_name api.iklim.co;` — correct for prod. ## Verification After deploy, on service-1: ```bash cat /opt/iklimco/swag/proxy-confs/api.conf | grep server_name ``` Expected: `server_name api.iklim.co;` ```bash docker exec $(docker ps -q -f name=iklimco_swag) nginx -t ``` Expected: `syntax is ok` ```bash curl -si https://api.iklim.co/health ``` Expected: APISIX response with valid `*.iklim.co` cert. ## Notes - `Prometheus` is intentionally NOT exposed via SWAG. Access it via Grafana (internal connection: `http://prometheus:9090`) or SSH tunnel. - If additional restricted-access subdomains are needed in the future, create a new `swag/proxy-confs/.conf.tpl` following the same pattern.