m17hr1l/nibiru-framework.com
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a44df81b71df0520176517cb2037d28e26bd9053
nibiru-framework.com/docs/nginx/vhost.d/www.nibiru-framework.com_location
stephan a44df81b71 Split docs into apex + www containers, add nginx vhost overrides 
The acme-companion on the production host doesn't accept comma-separated
VIRTUAL_HOST / LETSENCRYPT_HOST values, so cert issuance was failing for
the combined `nibiru-framework.com,www.nibiru-framework.com` entry.

docker-compose.yml — now defines two services sharing the same image:
  - docs      → VIRTUAL_HOST=nibiru-framework.com (apex)
  - docs-www  → VIRTUAL_HOST=www.nibiru-framework.com (built once, reused)
A YAML anchor (x-docs-shared-env) keeps the Oracle/LLM/Anthropic config in
lockstep so the two containers can never drift.

docs/nginx/vhost.d/ — per-host nginx-proxy overrides applied at the
location-block level by jwilder/nginx-proxy. Both files set:
  - X-Forwarded-* trust + buffering off (Oracle SSE streaming)
  - HSTS / X-Content-Type / X-Frame / Referrer-Policy / Permissions-Policy
  - gzip with the right MIME set for Astro/Starlight assets
  - Aggressive cache on /_astro/ (immutable hashed bundles)
  - 30-day cache on images/fonts
  - no-store on /sw.js (so PWA updates land)
  - 24-hour cache on /llms.txt for AI crawlers
docs/nginx/README.md explains how to mount these into an existing
nginx-proxy (bind-mount + reload, or bake into the proxy image).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-08 15:45:02 +02:00

84 lines
2.8 KiB
Plaintext
Raw Blame History

# =============================================================================
# nginx vhost-location override for www.nibiru-framework.com
#
# Same hardening + caching rules as the apex (nibiru-framework.com_location).
# Kept as a separate file so the proxy applies them per-vhost — the www and
# apex containers each get their own server block in the generated config.
#
# If you ever decide to redirect www → apex (SEO canonical-URL pattern)
# instead of serving from a second container, replace this file's contents
# with a single `return 301 https://nibiru-framework.com$request_uri;` and
# drop the docs-www service from docker-compose.yml.
# =============================================================================
# Trust the X-Forwarded-* headers nginx-proxy already sets.
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
# Allow streaming responses (Oracle answer streaming, Pagefind dialogs).
proxy_buffering off;
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
# WebSocket / SSE upgrade — harmless if the upstream never uses them.
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# Body size — generous; tighten if abuse becomes a concern.
client_max_body_size 25m;
# Compression.
gzip on;
gzip_vary on;
gzip_min_length 512;
gzip_proxied any;
gzip_comp_level 6;
gzip_types
text/plain
text/css
text/xml
application/xml
application/json
application/javascript
application/manifest+json
image/svg+xml
font/ttf
font/otf
application/font-woff
application/font-woff2;
# Security headers.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Hashed Astro/Starlight assets — 1 year, immutable.
location ~* ^/_astro/ {
expires 1y;
add_header Cache-Control "public, immutable, max-age=31536000";
}
# Static images / fonts — 30 days.
location ~* \.(png|jpg|jpeg|gif|webp|avif|ico|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, max-age=2592000";
}
# Service worker — never cache.
location = /sw.js {
expires off;
add_header Cache-Control "no-store, no-cache, must-revalidate";
}
# llms.txt — short cache for AI crawlers.
location = /llms.txt {
expires 1d;
add_header Cache-Control "public, max-age=86400";
}
Reference in New Issue View Git Blame Copy Permalink