sschuhmann/rehearshalhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fdf9f52f6fa9ec81505deafbc07001fe874b053f
rehearshalhub/web/nginx.conf
Mistral Vibe d9035acdff feat: app shell with sidebar + bug fixes 
UI:
- Add persistent sidebar (210px) with band switcher dropdown, Library/Player/Settings nav, user avatar row, and sign-out button
- Align design system CSS vars to CLAUDE.md spec (#0f0f12 bg, #e8a22a amber accent, rgba borders/text)
- Remove light mode toggle (no light mode in v1)
- Homepage auto-redirects to first band; shows create-band form only when no bands exist
- Strip full-page wrappers from all pages (shell owns layout)
- Remove debug console.log statements from SongPage

Bug fixes:
- nginx: trailing slash on `location ^~ /api/v1/bands/` caused 301 redirect on POST, dropping the request body — removed trailing slash
- API: _member_from_request (used by nc-scan stream) only accepted Bearer token, not httpOnly cookie — add rh_token cookie fallback
- API: internal_secret config field now has a dev default so the service starts without INTERNAL_SECRET env var set

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-01 09:43:47 +02:00

80 lines
2.8 KiB
Nginx Configuration File
Raw Blame History

server {
listen 80;
root /usr/share/nginx/html;
index index.html;
# Security headers
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header X-XSS-Protection "0" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Allow avatar uploads up to 10MB (API enforces a 5MB limit)
client_max_body_size 10m;
# Band routes — NC scan can take several minutes on large libraries.
# ^~ prevents the static-asset regex below from matching /api/ paths.
# Note: no trailing slash — nginx redirects /api/v1/bands → /api/v1/bands/
# with 301 if the location ends in /, which breaks POST requests.
location ^~ /api/v1/bands {
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
# All other API requests (including /api/static/avatars/* served by FastAPI).
# ^~ prevents the static-asset regex below from intercepting these paths.
location ^~ /api/ {
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (for /api/v1/ws/*)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
# WebSocket proxy for real-time version room events
location ^~ /ws/ {
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
# SPA routing — all other paths fall back to index.html
location / {
try_files $uri $uri/ /index.html;
}
# Cache static assets aggressively (Vite build output — hashed filenames).
# This regex only runs for paths NOT matched by the ^~ rules above.
location ~* \.(js|css|woff2|png|svg|ico)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;
}
Reference in New Issue View Git Blame Copy Permalink