55 lines
1.7 KiB
Plaintext
55 lines
1.7 KiB
Plaintext
# nginx reverse-proxy block for levcs-instance.
|
|
#
|
|
# Use this if your VPS already runs nginx (e.g. fronting Forgejo) and
|
|
# you'd rather add a server block than introduce Caddy. Assumes
|
|
# certbot-style cert paths; adjust for your own ACME setup.
|
|
#
|
|
# The instance terminates HTTP only — nginx handles TLS and forwards
|
|
# plaintext to 127.0.0.1:7117.
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name levcs.example.com;
|
|
|
|
ssl_certificate /etc/letsencrypt/live/levcs.example.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/levcs.example.com/privkey.pem;
|
|
|
|
# Federation surface and the operational health probe. Anything
|
|
# else returns 404 — no web UI exists yet, so be explicit.
|
|
location ~ ^/(levcs/v1|health) {
|
|
proxy_pass http://127.0.0.1:7117;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Pack responses can be large on a fresh clone. Long timeouts
|
|
# keep slow connections from being cut off mid-stream.
|
|
proxy_read_timeout 5m;
|
|
proxy_send_timeout 5m;
|
|
client_max_body_size 1g;
|
|
|
|
# Federation request signing covers the body via BLAKE3, so
|
|
# nginx must not buffer a request to a temp file and silently
|
|
# rewrite it — pass through unchanged.
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
location / {
|
|
return 404;
|
|
}
|
|
|
|
access_log /var/log/nginx/levcs.access.log;
|
|
error_log /var/log/nginx/levcs.error.log warn;
|
|
}
|
|
|
|
# HTTP → HTTPS redirect. Drop this if certbot manages it for you.
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name levcs.example.com;
|
|
return 301 https://$host$request_uri;
|
|
}
|