Adam French
932e257152
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 4m19s
Generate self-signed certs for local HTTPS, add port 443 and full SSL server block to dev nginx config, add Spotify redirect URI env var, improve Spotify token error handling, and fix Chat/Steam mobile sizing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
229 lines
7.7 KiB
Plaintext
229 lines
7.7 KiB
Plaintext
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
server_tokens off;
|
|
charset utf-8;
|
|
|
|
client_max_body_size 10M;
|
|
|
|
limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
|
|
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
|
|
limit_req_zone $binary_remote_addr zone=upload:10m rate=5r/m;
|
|
|
|
log_format compact
|
|
'$remote_addr "$request" $status rt=$request_time';
|
|
|
|
access_log /var/log/nginx/access.log compact;
|
|
|
|
types {
|
|
text/javascript mjs;
|
|
}
|
|
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_min_length 256;
|
|
gzip_types
|
|
text/plain
|
|
text/css
|
|
text/javascript
|
|
application/javascript
|
|
application/json
|
|
application/xml
|
|
image/svg+xml
|
|
font/woff2
|
|
application/font-woff2;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name $DOMAIN www.$DOMAIN;
|
|
|
|
location /uploads/ {
|
|
alias /uploads/;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header Content-Disposition "inline" always;
|
|
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'none'; script-src 'none'" always;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://vue:5173;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT {
|
|
return 301 $BACKEND_ENDPOINT/;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/ws {
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/auth/login {
|
|
limit_req zone=login burst=3 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/messages/upload {
|
|
limit_req zone=upload burst=3 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/ {
|
|
limit_req zone=api burst=20 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /radio {
|
|
return 301 /radio/;
|
|
}
|
|
|
|
location /radio/ {
|
|
proxy_pass http://$ICECAST_HOST:$ICECAST_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /gitea {
|
|
return 301 /gitea/;
|
|
}
|
|
|
|
location /gitea/ {
|
|
proxy_pass http://$GITEA_HOST:$GITEA_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
server_name $DOMAIN www.$DOMAIN;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/localhost/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/localhost/privkey.pem;
|
|
|
|
location /uploads/ {
|
|
alias /uploads/;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header Content-Disposition "inline" always;
|
|
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'none'; script-src 'none'" always;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://vue:5173;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT {
|
|
return 301 $BACKEND_ENDPOINT/;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/ws {
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/auth/login {
|
|
limit_req zone=login burst=3 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/messages/upload {
|
|
limit_req zone=upload burst=3 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location $BACKEND_ENDPOINT/ {
|
|
limit_req zone=api burst=20 nodelay;
|
|
rewrite ^$BACKEND_ENDPOINT/(.*)$ /$1 break;
|
|
proxy_pass http://$BACKEND_HOST:$BACKEND_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /radio {
|
|
return 301 /radio/;
|
|
}
|
|
|
|
location /radio/ {
|
|
proxy_pass http://$ICECAST_HOST:$ICECAST_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
location /gitea {
|
|
return 301 /gitea/;
|
|
}
|
|
|
|
location /gitea/ {
|
|
proxy_pass http://$GITEA_HOST:$GITEA_PORT/;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
}
|
|
|
|
}
|