forked from DreamLab-AI/origin-logseq-AR
-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathnginx.conf
More file actions
executable file
·331 lines (283 loc) · 13.1 KB
/
nginx.conf
File metadata and controls
executable file
·331 lines (283 loc) · 13.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
# Use a standard, writable path for the PID file
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log crit;
events {
worker_connections 1024;
multi_accept on;
use epoll;
}
http {
# Basic settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
# Override TypeScript MIME type (overriding video/mp2t from mime.types)
types {
application/typescript ts;
}
# Logging
log_format debug_format '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"'
' ws_status="$upstream_http_upgrade"'; # Added WebSocket status logging
access_log off;
# Optimization
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 120; # Increased to match cloudflared keepAliveTimeout
keepalive_requests 100;
# Gzip settings
gzip off;
# gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
# WebSocket configuration
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# CORS origin allowlist (prevents arbitrary origin reflection)
map $http_origin $cors_origin {
default "";
"~^https?://localhost(:\\d+)?$" $http_origin;
"~^https?://127\\.0\\.0\\.1(:\\d+)?$" $http_origin;
"https://www.visionflow.info" $http_origin;
"https://visionflow.info" $http_origin;
}
# Upstream backend definition for the Rust server
upstream backend {
server 127.0.0.1:4000; # Use localhost since both services are in same container
keepalive 32; # Keep connections alive
}
# Upstream definition for JavaScript Solid Server (JSS)
# Provides Solid pods for user data, agent memory, and ontology fragments
upstream jss {
server jss:3030;
keepalive 16;
}
# Main server configuration
server {
listen 4000 default_server; # Listen on port 4000 for external connections
server_name _; # Accept any server name
root /app/client/dist; # Set root to built client files directory
# Security headers
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "same-origin" always;
# TODO: Replace 'unsafe-inline' in script-src with nonce-based CSP once IdP views are refactored
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; connect-src 'self' ws: wss: http: https: https://esm.sh *.visionflow.info; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://esm.sh https://javascriptsolidserver.github.io https://cdn.jsdelivr.net https://unpkg.com https://getalby.com https://goal.ruv.io; style-src 'self' 'unsafe-inline'; img-src 'self' data: http: https:; frame-src 'self' https://getalby.com; font-src 'self' data:; base-uri 'self'; form-action 'self'; frame-ancestors 'self';" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# WebSocket endpoint
location /wss {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
# Pass through Cloudflare headers
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Ray $http_cf_ray;
proxy_set_header CF-Visitor $http_cf_visitor;
# Standard proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
# WebSocket timeouts
proxy_read_timeout 600m; # Increased from 3600s to 600m (10 hours) to match websocketIdleTimeout
proxy_send_timeout 3600s;
proxy_connect_timeout 75s;
proxy_buffering off;
proxy_cache off;
# Debug logging
access_log /var/log/nginx/websocket.log debug_format;
error_log /var/log/nginx/websocket-error.log debug;
}
# Voice WebSocket endpoint
location /ws/speech {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
# Pass through Cloudflare headers
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Ray $http_cf_ray;
proxy_set_header CF-Visitor $http_cf_visitor;
# Standard proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
# WebSocket timeouts
proxy_read_timeout 600m;
proxy_send_timeout 3600s;
proxy_connect_timeout 75s;
proxy_buffering off;
proxy_cache off;
# Debug logging
access_log /var/log/nginx/websocket.log debug_format;
error_log /var/log/nginx/websocket-error.log debug;
}
# MCP relay WebSocket endpoint
location /ws/mcp {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
# Pass through Cloudflare headers
proxy_set_header CF-Connecting-IP $http_cf_connecting_ip;
proxy_set_header CF-Ray $http_cf_ray;
proxy_set_header CF-Visitor $http_cf_visitor;
# Standard proxy headers
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
# WebSocket timeouts
proxy_read_timeout 600m;
proxy_send_timeout 3600s;
proxy_connect_timeout 75s;
proxy_buffering off;
proxy_cache off;
# Debug logging
access_log /var/log/nginx/mcp-websocket.log debug_format;
error_log /var/log/nginx/mcp-websocket-error.log debug;
}
# API endpoints
location /api {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# API specific settings
proxy_read_timeout 120s; # Increased for larger graph data
proxy_send_timeout 120s; # Increased for larger graph data
proxy_connect_timeout 60s;
proxy_buffering on; # Enable buffering for API responses
proxy_buffer_size 256k; # Increased for larger responses
proxy_buffers 8 256k; # Increased number of buffers
proxy_busy_buffers_size 512k; # Increased for larger responses
proxy_max_temp_file_size 2048m; # Allow larger temporary files
add_header Cache-Control "no-store" always; # Prevent caching of dynamic data
}
# =====================================================================
# Solid Protocol endpoints (JSS - JavaScript Solid Server)
# Provides: LDP CRUD, JSON-LD, WebSocket notifications, Nostr auth
# =====================================================================
# Solid pods and resources - main LDP endpoint
location /solid/ {
proxy_pass http://jss/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
# Pass through Authorization header (NIP-98 tokens)
proxy_set_header Authorization $http_authorization;
# LDP/Solid specific headers
proxy_pass_header Accept;
proxy_pass_header Content-Type;
proxy_pass_header Link;
proxy_pass_header Slug;
proxy_pass_header If-Match;
proxy_pass_header If-None-Match;
# Solid server timeouts
proxy_read_timeout 60s;
proxy_send_timeout 60s;
proxy_connect_timeout 10s;
# Allow large payloads for ontology uploads
client_max_body_size 50m;
# CORS headers for Solid apps
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Link, Slug, If-Match, If-None-Match" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Expose-Headers "Location, Link, WAC-Allow, Accept-Patch, Accept-Post" always;
# Handle CORS preflight
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, Link, Slug, If-Match, If-None-Match" always;
add_header Access-Control-Max-Age 86400;
add_header Content-Length 0;
return 204;
}
}
# Solid WebSocket notifications endpoint
location /solid/.notifications {
proxy_pass http://jss/.notifications;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Authorization $http_authorization;
# WebSocket timeouts
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_connect_timeout 10s;
proxy_buffering off;
proxy_cache off;
}
# User pods shortcut - maps /pods/{npub}/ to /solid/pods/{npub}/
location /pods/ {
proxy_pass http://jss/pods/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization $http_authorization;
# LDP headers
proxy_pass_header Accept;
proxy_pass_header Content-Type;
proxy_pass_header Link;
proxy_read_timeout 60s;
client_max_body_size 50m;
# CORS for pod access
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials "true" always;
}
# Static files
location / {
try_files $uri $uri/ /index.html =404;
expires 1h;
add_header Cache-Control "public, no-transform";
# error_page 404 = @backend; # Remove fallback for root, let try_files handle index.html
}
# Static files with proper MIME types
location /assets/ {
expires 7d;
add_header Cache-Control "public, no-transform" always;
try_files $uri =404;
access_log off;
}
# Fallback location for static files
location @backend {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Error pages
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
}