Align Sinbad2 HTTPS deployment with orcid2sword reverse-proxy pattern.

This adds nginx dual-path routing, forwarded proxy headers, Uvicorn proxy-headers, production security settings, and deployment docs for https://sinbad2.ujaen.es/generadorexamenesllm/.

frontend/nginx.conf

@@ -1,46 +1,82 @@
+# Nginx del contenedor frontend (HTTP interno, puerto 80 → publicado en 8075).
+#
+# Flujo HTTPS (igual que orcid2sword en Sinbad2):
+#   1. Usuario → https://sinbad2.ujaen.es/generadorexamenesllm/
+#   2. Apache termina TLS y hace ProxyPass al puerto 8075 (HTTP).
+#   3. Con ProxyPass ... http://host:8075/  Apache QUITA el prefijo /generadorexamenesllm
+#      y el contenedor recibe /, /assets/, /auth/, etc.
+#   4. Acceso directo al puerto 8075 (sin Apache) usa el prefijo /generadorexamenesllm/
+#      porque el build de Vite lleva VITE_APP_BASE_PATH=/generadorexamenesllm/
+
+map $http_x_forwarded_proto $forwarded_proto {
+    default $http_x_forwarded_proto;
+    ""      $scheme;
+}
+
+map $http_x_forwarded_host $forwarded_host {
+    default $http_x_forwarded_host;
+    ""      $host;
+}
+
 server {
     listen 80;
     server_name _;
     root /usr/share/nginx/html;
     index index.html;
 
-    # Backend API dentro de la misma base HTTPS (evita mixed content).
+    gzip on;
+    gzip_types text/css application/javascript application/json image/svg+xml;
+    gzip_min_length 1024;
+
+    # --- API: rutas sin prefijo (Apache quita /generadorexamenesllm) ---
     location /auth/ {
         proxy_pass http://backend:8074/auth/;
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        include /etc/nginx/snippets/proxy_params.conf;
     }
 
     location /exam/ {
         proxy_pass http://backend:8074/exam/;
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        include /etc/nginx/snippets/proxy_params.conf;
     }
 
     location = /health {
         proxy_pass http://backend:8074/health;
-        proxy_http_version 1.1;
-        proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        include /etc/nginx/snippets/proxy_params.conf;
+    }
+
+    location /assets/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
     }
 
-    # SPA: cualquier ruta desconocida sirve index.html (React Router).
     location / {
         try_files $uri $uri/ /index.html;
     }
 
-    # Cache de assets con hash.
-    location /assets/ {
+    # --- Mismo contenido/API bajo prefijo público (acceso directo :8075 o si Apache no quita prefijo) ---
+    location ^~ /generadorexamenesllm/auth/ {
+        proxy_pass http://backend:8074/auth/;
+        include /etc/nginx/snippets/proxy_params.conf;
+    }
+
+    location ^~ /generadorexamenesllm/exam/ {
+        proxy_pass http://backend:8074/exam/;
+        include /etc/nginx/snippets/proxy_params.conf;
+    }
+
+    location = /generadorexamenesllm/health {
+        proxy_pass http://backend:8074/health;
+        include /etc/nginx/snippets/proxy_params.conf;
+    }
+
+    location ^~ /generadorexamenesllm/assets/ {
+        alias /usr/share/nginx/html/assets/;
         expires 1y;
         add_header Cache-Control "public, immutable";
     }
 
-    gzip on;
-    gzip_types text/css application/javascript application/json image/svg+xml;
-    gzip_min_length 1024;
+    location ^~ /generadorexamenesllm/ {
+        try_files $uri $uri/ /index.html;
+    }
 }