# popup-proxy.conf — same-origin reverse proxy for popups.js providers # whose upstream APIs do not send CORS headers (arXiv, NCBI/PubMed, # Internet Archive). All three return immutable metadata, so the cache # TTL is generous; a manual `proxy_cache_purge` is unnecessary. # # Place this file at /etc/nginx/snippets/popup-proxy.conf and `include` # it inside the server { } block of the levineuwirth.org vhost. The # `proxy_cache_path` directive must live in the http { } context — put # it in nginx.conf or the relevant conf.d/ file. # # http { # proxy_cache_path /var/cache/nginx/popup-proxy # levels=1:2 keys_zone=popup_proxy:16m # max_size=512m inactive=60d use_temp_path=off; # ... # } # # server { # server_name levineuwirth.org; # ... # include snippets/popup-proxy.conf; # } # Shared resolver — needed because proxy_pass uses a variable upstream # (literal upstreams are resolved once at startup; variables defer DNS # to request time, which lets nginx start without the upstream being # reachable and survives upstream IP changes). resolver 1.1.1.1 8.8.8.8 ipv6=off valid=300s; resolver_timeout 5s; # ── arXiv ──────────────────────────────────────────────────────────── # Atom feed of paper metadata. Abstracts never change after publication # (revisions get distinct IDs like 2604.06217v2), so 30d is safe. location /proxy/arxiv/ { set $upstream_arxiv export.arxiv.org; proxy_pass https://$upstream_arxiv/; proxy_set_header Host $upstream_arxiv; proxy_set_header User-Agent "levineuwirth.org popup-proxy (ln@levineuwirth.org)"; proxy_ssl_server_name on; proxy_cache popup_proxy; proxy_cache_valid 200 30d; proxy_cache_valid any 5m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; add_header X-Cache-Status $upstream_cache_status always; # Belt-and-suspenders: even though same-origin doesn't need CORS, a # future migration of popups.js to a worker or different origin would. add_header Access-Control-Allow-Origin "$scheme://$host" always; } # ── Internet Archive ───────────────────────────────────────────────── # Item metadata JSON. Item descriptions are author-edited and could # change, but rarely; 7d strikes a reasonable balance. location /proxy/archive/ { set $upstream_archive archive.org; proxy_pass https://$upstream_archive/; proxy_set_header Host $upstream_archive; proxy_set_header User-Agent "levineuwirth.org popup-proxy (ln@levineuwirth.org)"; proxy_ssl_server_name on; proxy_cache popup_proxy; proxy_cache_valid 200 7d; proxy_cache_valid any 5m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; add_header X-Cache-Status $upstream_cache_status always; add_header Access-Control-Allow-Origin "$scheme://$host" always; } # ── PubMed (NCBI E-utilities) ──────────────────────────────────────── # Article summaries. NCBI requests a tool=/email= identifier on every # request (https://www.ncbi.nlm.nih.gov/books/NBK25497/); we inject # them server-side so popups.js stays focused on rendering. location /proxy/pubmed/ { set $upstream_pubmed eutils.ncbi.nlm.nih.gov; proxy_pass https://$upstream_pubmed/; proxy_set_header Host $upstream_pubmed; proxy_set_header User-Agent "levineuwirth.org popup-proxy (ln@levineuwirth.org)"; proxy_ssl_server_name on; # NCBI etiquette: rate-limit to <3 req/s without an API key. With # caching this is rarely exercised, but the burst guards a hot page. limit_req zone=pubmed burst=3 nodelay; proxy_cache popup_proxy; proxy_cache_valid 200 30d; proxy_cache_valid any 5m; proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; proxy_cache_lock on; add_header X-Cache-Status $upstream_cache_status always; add_header Access-Control-Allow-Origin "$scheme://$host" always; } # Companion directive for the limit_req above. Place in http { } context: # # http { # limit_req_zone $binary_remote_addr zone=pubmed:1m rate=3r/s; # ... # }