m17hr1l/nibiru-framework.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Split docs into apex + www containers, add nginx vhost overrides

Browse Source 
The acme-companion on the production host doesn't accept comma-separated
VIRTUAL_HOST / LETSENCRYPT_HOST values, so cert issuance was failing for
the combined `nibiru-framework.com,www.nibiru-framework.com` entry.

docker-compose.yml — now defines two services sharing the same image:
  - docs      → VIRTUAL_HOST=nibiru-framework.com (apex)
  - docs-www  → VIRTUAL_HOST=www.nibiru-framework.com (built once, reused)
A YAML anchor (x-docs-shared-env) keeps the Oracle/LLM/Anthropic config in
lockstep so the two containers can never drift.

docs/nginx/vhost.d/ — per-host nginx-proxy overrides applied at the
location-block level by jwilder/nginx-proxy. Both files set:
  - X-Forwarded-* trust + buffering off (Oracle SSE streaming)
  - HSTS / X-Content-Type / X-Frame / Referrer-Policy / Permissions-Policy
  - gzip with the right MIME set for Astro/Starlight assets
  - Aggressive cache on /_astro/ (immutable hashed bundles)
  - 30-day cache on images/fonts
  - no-store on /sw.js (so PWA updates land)
  - 24-hour cache on /llms.txt for AI crawlers
docs/nginx/README.md explains how to mount these into an existing
nginx-proxy (bind-mount + reload, or bake into the proxy image).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
stephan
2026-05-08 15:45:02 +02:00
parent 5be20ebd08
commit a44df81b71
4 changed files with 297 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

60
docs/nginx/README.md Normal file
View File

@@ -0,0 +1,60 @@
# nginx vhost overrides for nibiru-framework.com
These files are picked up by **jwilder/nginx-proxy** when mounted into the
proxy container at `/etc/nginx/vhost.d/`. They hold per-vhost hardening
and cache rules for the docs site (apex + www).
## What's here
- `vhost.d/nibiru-framework.com_location` — apex domain rules
- `vhost.d/www.nibiru-framework.com_location` — www variant (identical rules)
Both files contain the same hardening (security headers, gzip, caching for
hashed Astro assets, no-cache for the service worker, …). They are kept
separate so adding a www → apex redirect later is a one-file change.
## Wiring into an existing nginx-proxy
The proxy container needs to read `/etc/nginx/vhost.d/`. Two common patterns:
### 1. Bind-mount a directory on the host
If your nginx-proxy is started with something like:
```yaml
volumes:
- /srv/nginx-proxy/vhost.d:/etc/nginx/vhost.d:ro
```
then copy these files into that directory on the host:
```sh
sudo install -d /srv/nginx-proxy/vhost.d
sudo cp docs/nginx/vhost.d/* /srv/nginx-proxy/vhost.d/
sudo docker exec nginx-proxy nginx -s reload
```
Repeat the `cp` + reload after every change.
### 2. Bake them into the proxy image
If you build your own nginx-proxy image, `COPY docs/nginx/vhost.d/* /etc/nginx/vhost.d/`
in its Dockerfile. Then `docker compose up -d --build` on the proxy.
## Verifying
Once mounted and reloaded:
```sh
docker exec nginx-proxy nginx -T \
| grep -A5 "server_name nibiru-framework.com"
```
You should see the proxy_buffering off, gzip, and security-header lines
from this directory inlined into the generated server block.
## Why two containers (and not one with a comma-separated VIRTUAL_HOST)
The acme-companion on this host does not handle comma-separated values in
`VIRTUAL_HOST` / `LETSENCRYPT_HOST` reliably — cert issuance fails. The fix
is to run one docs container per hostname (see `docker-compose.yml`).