m17hr1l/nibiru-framework.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a44df81b71df0520176517cb2037d28e26bd9053
nibiru-framework.com/docs/nginx/vhost.d/nibiru-framework.com_location
stephan a44df81b71 Split docs into apex + www containers, add nginx vhost overrides 
The acme-companion on the production host doesn't accept comma-separated
VIRTUAL_HOST / LETSENCRYPT_HOST values, so cert issuance was failing for
the combined `nibiru-framework.com,www.nibiru-framework.com` entry.

docker-compose.yml — now defines two services sharing the same image:
  - docs      → VIRTUAL_HOST=nibiru-framework.com (apex)
  - docs-www  → VIRTUAL_HOST=www.nibiru-framework.com (built once, reused)
A YAML anchor (x-docs-shared-env) keeps the Oracle/LLM/Anthropic config in
lockstep so the two containers can never drift.

docs/nginx/vhost.d/ — per-host nginx-proxy overrides applied at the
location-block level by jwilder/nginx-proxy. Both files set:
  - X-Forwarded-* trust + buffering off (Oracle SSE streaming)
  - HSTS / X-Content-Type / X-Frame / Referrer-Policy / Permissions-Policy
  - gzip with the right MIME set for Astro/Starlight assets
  - Aggressive cache on /_astro/ (immutable hashed bundles)
  - 30-day cache on images/fonts
  - no-store on /sw.js (so PWA updates land)
  - 24-hour cache on /llms.txt for AI crawlers
docs/nginx/README.md explains how to mount these into an existing
nginx-proxy (bind-mount + reload, or bake into the proxy image).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:45:02 +02:00

90 lines
3.2 KiB
Plaintext
Raw Blame History

# =============================================================================
# nginx vhost-location override for nibiru-framework.com (apex)
#
# Picked up by jwilder/nginx-proxy when this file is mounted into the proxy
# container at /etc/nginx/vhost.d/<host>_location.
#
# Pattern:
# -v /srv/nginx-proxy/vhost.d:/etc/nginx/vhost.d:ro
# on the proxy, then `cp docs/nginx/vhost.d/* /srv/nginx-proxy/vhost.d/`
# on the host (or symlink).
#
# Each rule is scoped to the location { } block of the generated server,
# so we DON'T re-declare server, listen, server_name, ssl_*, etc.
# =============================================================================
# Trust the X-Forwarded-* headers nginx-proxy already sets, so the upstream
# Astro server sees the real client IP and scheme.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Allow streaming responses (Oracle answer streaming, Pagefind dialogs).
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
# WebSocket / SSE upgrade — harmless if the upstream never uses them.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Body size — large enough for the LoRA corpus uploads (cap is generous;
# tighten if abuse becomes a concern).
client_max_body_size 25m;
# Compression — Astro emits text-heavy assets that gzip well.
gzip on;
gzip_vary on;
gzip_min_length 512;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
application/xml
application/json
application/javascript
application/manifest+json
image/svg+xml
font/ttf
font/otf
application/font-woff
application/font-woff2;
# Security headers — same set sent on every request.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Cache hashed Astro/Starlight assets aggressively (1 year, immutable).
# The dev server hashes filenames via Vite, so cache-busting is automatic.
location ~* ^/_astro/ {
expires 1y;
add_header Cache-Control "public, immutable, max-age=31536000";
}
# Static images / fonts / pwa manifest — long cache, mutable so a deploy
# can invalidate by changing the file.
location ~* \.(png|jpg|jpeg|gif|webp|avif|ico|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
}
# Service worker MUST NOT be cached — needed for PWA updates to land.
location = /sw.js {
expires off;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# llms.txt is small; let it cache for a day so AI crawlers don't hammer it.
location = /llms.txt {
expires 1d;
add_header Cache-Control "public, max-age=86400";
}
Reference in New Issue View Git Blame Copy Permalink