Spaces:
Sleeping
Sleeping
| # Non-root nginx configuration | |
| worker_processes auto; | |
| pid /home/node/logs/nginx.pid; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Logging to node user-writable directory | |
| access_log /home/node/logs/nginx_access.log; | |
| error_log /home/node/logs/nginx_error.log; | |
| # Gzip compression | |
| gzip on; | |
| gzip_vary on; | |
| gzip_min_length 1024; | |
| gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json; | |
| # Backend upstream | |
| upstream backend { | |
| server 127.0.0.1:8000; | |
| } | |
| # Frontend upstream | |
| upstream frontend { | |
| server 127.0.0.1:3000; | |
| } | |
| server { | |
| listen 7860; | |
| server_name _; | |
| # Security headers (X-Frame-Options removed to allow iframe embedding in Hugging Face Spaces) | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header Referrer-Policy "strict-origin-when-cross-origin" always; | |
| # Content Security Policy - allow iframe embedding and upgrade insecure requests | |
| add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors *" always; | |
| # Proxy frontend requests to Next.js server | |
| location / { | |
| proxy_pass http://frontend; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| # Support for Next.js hot reload and WebSocket connections | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| # Cache static assets served by Next.js | |
| location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { | |
| proxy_pass http://frontend; | |
| proxy_set_header Host $host; | |
| expires 1y; | |
| add_header Cache-Control "public, immutable"; | |
| } | |
| } | |
| # Proxy API requests to FastAPI backend (all backend endpoints) | |
| # The trailing slash in proxy_pass is crucial for path rewriting | |
| location /api/ { | |
| proxy_pass http://backend/; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| # Add debug headers to help troubleshooting | |
| add_header X-Debug-Original-URI $request_uri always; | |
| add_header X-Debug-Proxy-Pass "backend" always; | |
| # Handle CORS | |
| add_header Access-Control-Allow-Origin *; | |
| add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"; | |
| add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; | |
| # Handle preflight requests | |
| if ($request_method = 'OPTIONS') { | |
| add_header Access-Control-Allow-Origin *; | |
| add_header Access-Control-Allow-Methods "GET, POST, OPTIONS, PUT, DELETE"; | |
| add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization"; | |
| add_header Access-Control-Max-Age 86400; | |
| add_header Content-Type "text/plain; charset=utf-8"; | |
| add_header Content-Length 0; | |
| return 204; | |
| } | |
| # SSE specific settings for streaming endpoints | |
| proxy_buffering off; | |
| proxy_cache off; | |
| proxy_set_header Connection ''; | |
| proxy_http_version 1.1; | |
| chunked_transfer_encoding off; | |
| # Enable streaming timeouts | |
| proxy_read_timeout 24h; | |
| proxy_connect_timeout 60s; | |
| proxy_send_timeout 60s; | |
| } | |
| } | |
| } | |