# Subdomain split: marketing site + game + API After this change there are **three** public hosts (all → edge nginx `185.239.1.100`): | Host | Serves | Upstream (on 171.22.25.73) | |---|---|---| | `bargevasat.ir`, `www.bargevasat.ir` | Marketing site (`hokm-site`) | `:1520` | | `app.bargevasat.ir` | The game (`hokm-web`) | `:1500` | | `api.bargevasat.ir` | API + SignalR (`hokm-server`) | `:1505` (CDN **bypass**) | ## 1. DNS Add/confirm A‑records (all → `185.239.1.100`): ``` bargevasat.ir A 185.239.1.100 (CDN ok) www.bargevasat.ir A 185.239.1.100 (CDN ok) app.bargevasat.ir A 185.239.1.100 (CDN ok) api.bargevasat.ir A 185.239.1.100 (CDN BYPASS / DNS-only) ``` ## 2. TLS cert — reissue to include `app` The current cert covers `bargevasat.ir, www, api` — add `app`: ```bash sudo certbot certonly --webroot -w /var/www/certbot \ -d bargevasat.ir -d www.bargevasat.ir -d app.bargevasat.ir -d api.bargevasat.ir \ --agree-tos --no-eff-email --email you@example.com # then copy/symlink fullchain.pem + privkey.pem into /etc/ssl/bargevasat/ ``` (Or DNS‑01 if behind the CDN — see SSL notes.) ## 3. nginx (edit /root/mirror-server/nginx/nginx.conf) Replace the single Barg‑e Vasat web block with these three: ```nginx # Redirect http → https for all three server { listen 80; server_name bargevasat.ir www.bargevasat.ir app.bargevasat.ir api.bargevasat.ir; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # Marketing site → hokm-site :1520 server { listen 443 ssl; http2 on; server_name bargevasat.ir www.bargevasat.ir; ssl_certificate /etc/ssl/bargevasat/fullchain.pem; ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem; location / { proxy_pass http://171.22.25.73:1520; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # Game (Next static SPA) → hokm-web :1500 server { listen 443 ssl; http2 on; server_name app.bargevasat.ir; client_max_body_size 25m; ssl_certificate /etc/ssl/bargevasat/fullchain.pem; ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem; location / { proxy_pass http://171.22.25.73:1500; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } # API + SignalR → hokm-server :1505 (WebSocket; keep CDN bypassed for this host) server { listen 443 ssl; http2 on; server_name api.bargevasat.ir; client_max_body_size 50m; ssl_certificate /etc/ssl/bargevasat/fullchain.pem; ssl_certificate_key /etc/ssl/bargevasat/privateKey.pem; location / { proxy_pass http://171.22.25.73:1505; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 3600s; } } ``` Reload: `docker compose exec nginx nginx -t && docker compose exec nginx nginx -s reload` ## 4. ENV_FILE secret (Gitea) — add/confirm ``` SITE_PORT=1520 NEXT_PUBLIC_APP_URL=https://app.bargevasat.ir NEXT_PUBLIC_SITE_URL=https://bargevasat.ir NEXT_PUBLIC_SERVER_URL=https://api.bargevasat.ir CORS_ORIGINS=https://bargevasat.ir,https://www.bargevasat.ir,https://app.bargevasat.ir ADMIN_TOKEN= ``` ## 5. Deploy `docker compose build site web server && docker compose up -d` (Add the `site` service to the CI deploy job's build/up + health‑wait, same pattern as web.) ## 6. Verify ```bash curl -I https://bargevasat.ir # marketing (200) curl -I https://app.bargevasat.ir # game (200) curl -I https://api.bargevasat.ir # API (405 to HEAD is fine) ``` Admin: open `https://bargevasat.ir/admin`, enter `ADMIN_TOKEN`, set Bazaar/Myket links → Save.