Separate frontend app API from backend API in production

.env.example

@@ -11,7 +11,7 @@ WEBHOOK_VERIFY_TOKEN=replace-with-32-plus-char-random-token
 WEBHOOK_SHARED_SECRET=replace-with-32-plus-char-random-secret
 META_WEBHOOK_APP_SECRET=
 WEBHOOK_ALLOW_UNSIGNED=false
-NEXT_PUBLIC_API_URL=http://localhost:3001/api
+NEXT_PUBLIC_API_URL=http://localhost:3000/backend-api
 MAIL_HOST=mail.example.com
 MAIL_PORT=465
 MAIL_SECURE=true

deploy/debian12/README.md

@@ -11,7 +11,7 @@ Panduan ini menyiapkan `bizone-web` di server Debian 12 kosong dengan topologi b
 ## URL Production Final
 
 - Aplikasi: `https://portal.bizone.id`
-- Backend API public base URL: `https://portal.bizone.id/api`
+- Backend API browser/server base URL via reverse proxy: `https://portal.bizone.id/backend-api`
 - Health check backend: `https://portal.bizone.id/api/health`
 - Webhook verify URL Meta: `https://portal.bizone.id/api/webhooks/whatsapp`
 - Webhook event URL Meta: `https://portal.bizone.id/api/webhooks/whatsapp`
@@ -26,6 +26,8 @@ Untuk integrasi Meta, gunakan URL default berikut:
 Catatan penting:
 
 - Route backend memakai global prefix `/api`, jadi endpoint controller `GET /webhooks/whatsapp` menjadi `GET /api/webhooks/whatsapp`.
+- Di production, `nginx` mengekspos backend internal aplikasi lewat prefix `https://portal.bizone.id/backend-api`.
+- Prefix `/api/*` di browser dipakai oleh route handler Next.js untuk operasi dashboard seperti save contact, save user, export, dan aksi client-side lain.
 - Jika Anda ingin verifikasi tanda tangan resmi dari Meta, isi `META_WEBHOOK_APP_SECRET`.
 - Bila `META_WEBHOOK_APP_SECRET` terisi, request ke `POST /api/webhooks/whatsapp/meta` menuntut header `x-hub-signature-256`.
 - Endpoint `POST /api/webhooks/whatsapp` tetap bisa dipakai untuk Meta bila Anda memilih verify token + shared secret non-Meta untuk test lain, tetapi untuk produksi Meta lebih aman menargetkan URL default callback dan menyimpan `META_WEBHOOK_APP_SECRET`.
@@ -237,6 +239,7 @@ Uji HTTP lokal:
 ```bash
 curl -I http://portal.bizone.id
 curl http://portal.bizone.id/api/health
+curl http://portal.bizone.id/backend-api/health
 ```
 
 ## 10. Aktifkan HTTPS
@@ -250,6 +253,7 @@ Setelah cert aktif, uji:
 ```bash
 curl -I https://portal.bizone.id
 curl https://portal.bizone.id/api/health
+curl https://portal.bizone.id/backend-api/health
 ```
 
 Respons health ideal:
@@ -331,3 +335,12 @@ sudo systemctl is-active bizone-backend
 sudo systemctl is-active bizone-frontend
 docker compose -f /srv/bizone-web/deploy/debian12/docker-compose.infra.yml ps
 ```
+##+Q&xN$86LbSA<av<
+Ganti `NEXT_PUBLIC_API_URL` production menjadi:
+
+```dotenv
+NEXT_PUBLIC_API_URL=https://portal.bizone.id/backend-api
+```
+
+Ini penting agar frontend server-side berbicara ke backend asli, sementara browser tetap bisa memakai route handler Next.js di `/api/*`.
+

deploy/debian12/app.env.example

@@ -1,12 +1,12 @@
 NODE_ENV=production
 
-DATABASE_URL=postgresql://bizone:change-this-postgres-password@127.0.0.1:5432/wa_dashboard
+DATABASE_URL=postgresql://bizone:%2BQ%26xN%2486LbSA%3Cav%3C@127.0.0.1:5432/wa_dashboard
 REDIS_URL=redis://127.0.0.1:6379
 
 PORT=3001
 FRONTEND_ORIGIN=https://portal.bizone.id
 PUBLIC_API_URL=https://portal.bizone.id
-NEXT_PUBLIC_API_URL=https://portal.bizone.id/api
+NEXT_PUBLIC_API_URL=https://portal.bizone.id/backend-api
 
 JWT_SECRET=UsmlPBa61fKDgTjUR+9sS9f5SKw3OF7X0CjGWoHibg2eF7gQO6sS57pc2Hj8XIv4
 JWT_EXPIRES_IN=1d

deploy/debian12/nginx.portal.bizone.id.conf

@@ -5,6 +5,33 @@ server {
 
     client_max_body_size 20m;
 
+    location = /api/health {
+        proxy_pass http://127.0.0.1:3001/api/health;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /api/webhooks/ {
+        proxy_pass http://127.0.0.1:3001/api/webhooks/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /backend-api/ {
+        proxy_pass http://127.0.0.1:3001/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     location / {
         proxy_pass http://127.0.0.1:3000;
         proxy_http_version 1.1;
@@ -16,12 +43,4 @@ server {
         proxy_set_header Connection "upgrade";
     }
 
-    location /api/ {
-        proxy_pass http://127.0.0.1:3001/api/;
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-    }
 }