events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; server_tokens off; charset utf-8; resolver 127.0.0.11 valid=10s; client_max_body_size 50M; limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m; limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; limit_req_zone $binary_remote_addr zone=graphql:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=upload:10m rate=5r/m; log_format compact '$remote_addr "$request" $status rt=$request_time'; access_log /var/log/nginx/access.log compact; types { text/javascript mjs; } gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_min_length 256; gzip_types text/plain text/css text/javascript application/javascript application/json application/xml image/svg+xml font/woff2 application/font-woff2; server { listen 80; server_name $DOMAIN www.$DOMAIN; # Allow Certbot to access the ACME challenge location /.well-known/acme-challenge/ { root /var/www/certbot; } # Redirect everything else to HTTPS location / { return 301 https://www.$DOMAIN$request_uri; } } server { listen 443 ssl; server_name $DOMAIN; ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; return 301 https://www.$DOMAIN$request_uri; } server { listen 443 ssl; http2 on; server_name www.$DOMAIN; set $upstream_backend http://$BACKEND_HOST:$BACKEND_PORT; set $upstream_icecast http://$ICECAST_HOST:$ICECAST_PORT; set $upstream_gitea http://$GITEA_HOST:$GITEA_PORT; set $upstream_hasura http://$HASURA_HOST:$HASURA_PORT; set $upstream_quartz http://$QUARTZ_HOST:$QUARTZ_PORT; set $upstream_searxng http://$SEARXNG_HOST:$SEARXNG_PORT; root /etc/nginx/html; index index.html; ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # Vite hashed assets - immutable, cache 1 year location /assets/ { expires 1y; add_header Cache-Control "public, immutable"; } # Fonts - cache 30 days location /fonts/ { expires 30d; add_header Cache-Control "public"; } # Images - cache 7 days location /img/ { expires 7d; add_header Cache-Control "public"; } location /uploads/ { alias /uploads/; add_header X-Content-Type-Options nosniff always; add_header Content-Disposition "inline" always; add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'none'; script-src 'none'" always; } location / { try_files $uri $uri/ /index.html; } location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ /.well-known/acme-challenge/ { root /var/www/certbot; } location = /img/stamps/mine.gif { add_header Access-Control-Allow-Origin "https://www.$DOMAIN"; expires 7d; add_header Cache-Control "public"; } location /sound/ { expires 7d; add_header Cache-Control "public"; } location $BACKEND_ENDPOINT { return 301 $BACKEND_ENDPOINT/; } location $BACKEND_ENDPOINT/ws { rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break; proxy_pass $upstream_backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location $BACKEND_ENDPOINT/auth/login { limit_req zone=login burst=3 nodelay; rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break; proxy_pass $upstream_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location $BACKEND_ENDPOINT/messages/upload { limit_req zone=upload burst=3 nodelay; rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break; proxy_pass $upstream_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location $BACKEND_ENDPOINT/graphql { limit_req zone=graphql burst=10 nodelay; rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break; proxy_pass $upstream_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location $BACKEND_ENDPOINT/ { limit_req zone=api burst=20 nodelay; rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break; proxy_pass $upstream_backend; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /radio { return 301 /radio/; } location /radio/ { rewrite ^/radio/(.*)$ /$1 break; proxy_pass $upstream_icecast; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /gitea { return 301 /gitea/; } location /gitea/ { rewrite ^/gitea/(.*)$ /$1 break; proxy_pass $upstream_gitea; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /hasura { return 301 /hasura/; } location /hasura/ { auth_request /internal/auth/admin-validate; error_page 401 403 = @auth_denied; rewrite ^/hasura/(.*)$ /$1 break; proxy_pass $upstream_hasura; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location /notes { return 301 /notes/; } location /notes/ { auth_request /internal/auth/admin-validate; error_page 401 403 = @auth_denied; rewrite ^/notes/(.*)$ /$1 break; proxy_pass $upstream_quartz; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location = /internal/auth/admin-validate { internal; rewrite ^ /auth/validate-admin break; proxy_pass $upstream_backend; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header Cookie $http_cookie; } location @auth_denied { return 302 /admin/login?redirect=$request_uri; } location /searxng { return 301 /searxng/; } location /searxng/ { auth_request /internal/auth/admin-validate; error_page 401 403 = @auth_denied; rewrite ^/searxng/(.*)$ /$1 break; proxy_pass $upstream_searxng; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 80; server_name chat.$DOMAIN; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://chat.$DOMAIN$request_uri; } } server { listen 443 ssl; http2 on; server_name chat.$DOMAIN; ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; set $upstream_openwebui http://$OPENWEBUI_HOST:$OPENWEBUI_PORT; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; client_max_body_size 50M; location = /internal/auth/admin-validate { internal; rewrite ^ /auth/validate-admin break; proxy_pass http://$BACKEND_HOST:$BACKEND_PORT; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header Cookie $http_cookie; } location @auth_denied { return 302 https://www.$DOMAIN/admin/login?redirect=https://chat.$DOMAIN$request_uri; } location / { auth_request /internal/auth/admin-validate; error_page 401 403 = @auth_denied; proxy_pass $upstream_openwebui; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_buffering off; proxy_read_timeout 300s; proxy_send_timeout 300s; } } }