Gridwolf/nginx.conf at main · valinorintelligence/Gridwolf · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
# Gridwolf — Nginx reverse proxy + SPA host
# Handles: static assets, /api proxy → backend:8000, WebSocket at /ws

# ── Compression ──────────────────────────────────────────────────────────────
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
    text/plain text/css text/xml application/json application/javascript
    application/xml+rss application/atom+xml image/svg+xml
    font/woff font/woff2 application/wasm;
gzip_min_length 1024;

server {
    listen 80;
    server_name _;

    # Allow large PCAP uploads (up to 500 MB)
    client_max_body_size 500M;

    # ── Security headers ─────────────────────────────────────────────────────
    add_header X-Frame-Options            "SAMEORIGIN"                   always;
    add_header X-Content-Type-Options     "nosniff"                      always;
    add_header Referrer-Policy            "strict-origin-when-cross-origin" always;
    add_header X-XSS-Protection           "1; mode=block"                always;
    add_header Permissions-Policy         "camera=(), microphone=(), geolocation=()" always;

    root  /usr/share/nginx/html;
    index index.html;

    # ── Static assets — long-lived cache ─────────────────────────────────────
    # Vite fingerprints all JS/CSS with content hashes → safe to cache forever.
    location ~* \.(js|css|woff2?|ttf|eot|svg|png|jpg|jpeg|gif|ico|webp|wasm)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # ── SPA fallback ─────────────────────────────────────────────────────────
    location / {
        try_files $uri $uri/ /index.html;
        # index.html must NOT be cached — it holds the asset URLs
        add_header Cache-Control "no-cache, no-store, must-revalidate";
    }

    # ── API proxy ─────────────────────────────────────────────────────────────
    location /api/ {
        proxy_pass             http://backend:8000;
        proxy_set_header       Host              $host;
        proxy_set_header       X-Real-IP         $remote_addr;
        proxy_set_header       X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header       X-Forwarded-Proto $scheme;

        # Large PCAP uploads need generous timeouts
        proxy_read_timeout     300s;
        proxy_connect_timeout  10s;
        proxy_send_timeout     300s;

        # Disable response buffering so streaming responses reach the client
        proxy_buffering        off;
    }

    # ── Health endpoint ───────────────────────────────────────────────────────
    location /health {
        proxy_pass       http://backend:8000;
        proxy_set_header Host $host;
        access_log       off;
    }

    # ── WebSocket ────────────────────────────────────────────────────────────
    location /ws {
        proxy_pass         http://backend:8000;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade    $http_upgrade;
        proxy_set_header   Connection "upgrade";
        proxy_set_header   Host       $host;
        proxy_set_header   X-Real-IP  $remote_addr;
        # Keep WS connections alive indefinitely
        proxy_read_timeout  86400s;
        proxy_send_timeout  86400s;
    }
}