85 lines
2.9 KiB
Nginx Configuration File
85 lines
2.9 KiB
Nginx Configuration File
server {
|
|
listen 80;
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header X-XSS-Protection "0" always;
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
|
|
|
# Allow avatar uploads up to 10MB (API enforces a 5MB limit)
|
|
client_max_body_size 10m;
|
|
|
|
# Band routes — NC scan can take several minutes on large libraries.
|
|
# ^~ prevents the static-asset regex below from matching /api/ paths.
|
|
# Note: no trailing slash — nginx redirects /api/v1/bands → /api/v1/bands/
|
|
# with 301 if the location ends in /, which breaks POST requests.
|
|
location ^~ /api/v1/bands {
|
|
proxy_pass http://api:8000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_read_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
}
|
|
|
|
# All other API requests (including /api/static/avatars/* served by FastAPI).
|
|
# ^~ prevents the static-asset regex below from intercepting these paths.
|
|
location ^~ /api/ {
|
|
proxy_pass http://api:8000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# WebSocket support (for /api/v1/ws/*)
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_read_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
}
|
|
|
|
# WebSocket proxy for real-time version room events
|
|
location ^~ /ws/ {
|
|
proxy_pass http://api:8000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
proxy_read_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
}
|
|
|
|
# Serve manifest.json directly
|
|
location = /manifest.json {
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# SPA routing — all other paths fall back to index.html
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
# Cache static assets aggressively (Vite build output — hashed filenames).
|
|
# This regex only runs for paths NOT matched by the ^~ rules above.
|
|
location ~* \.(js|css|woff2|png|svg|ico)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
gzip on;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;
|
|
}
|