archy/image-recipe/configs/external-app-proxies.conf

# External web-only apps — reverse proxy to strip X-Frame-Options for iframe embedding
# Used by appLauncher.ts EXTERNAL_PROXY_PORT mapping
# Deployed to /etc/nginx/conf.d/external-app-proxies.conf

# 484 Kitchen (484.kitchen) → port 8902
server {
    listen 8902;
    server_name _;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;

    location / {
        set $upstream_484 https://484.kitchen;
        proxy_pass $upstream_484;
        proxy_http_version 1.1;
        proxy_set_header Host 484.kitchen;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Accept-Encoding "";
        proxy_ssl_server_name on;
        proxy_ssl_name 484.kitchen;
        proxy_hide_header X-Frame-Options;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header Content-Security-Policy;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;

        proxy_redirect https://484.kitchen/ /;
        sub_filter_once off;
        sub_filter_types text/html text/css application/javascript;
    }
}

# Arch Presentation (present.l484.com) → port 8903
server {
    listen 8903;
    server_name _;
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;

    location / {
        set $upstream_present https://present.l484.com;
        proxy_pass $upstream_present;
        proxy_http_version 1.1;
        proxy_set_header Host present.l484.com;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Accept-Encoding "";
        proxy_ssl_server_name on;
        proxy_ssl_name present.l484.com;
        proxy_hide_header X-Frame-Options;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header Content-Security-Policy;
        proxy_connect_timeout 60s;
        proxy_read_timeout 60s;

        proxy_redirect https://present.l484.com/ /;
        sub_filter_once off;
        sub_filter_types text/html text/css application/javascript;
    }
}
patches on sxsw ai working api key working container hardened plus many more 2026-03-12 22:19:04 +00:00			`# External web-only apps — reverse proxy to strip X-Frame-Options for iframe embedding`
			`# Used by appLauncher.ts EXTERNAL_PROXY_PORT mapping`
			`# Deployed to /etc/nginx/conf.d/external-app-proxies.conf`

			`# 484 Kitchen (484.kitchen) → port 8902`
			`server {`
			`listen 8902;`
			`server_name _;`
fix: move resolver directives into server blocks in external-app-proxies Prevents duplicate resolver directive error when both nginx-archipelago.conf and external-app-proxies.conf are loaded at http context level. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-11 16:57:58 -04:00			`resolver 1.1.1.1 8.8.8.8 valid=300s;`
			`resolver_timeout 5s;`
patches on sxsw ai working api key working container hardened plus many more 2026-03-12 22:19:04 +00:00
			`location / {`
			`set $upstream_484 https://484.kitchen;`
			`proxy_pass $upstream_484;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host 484.kitchen;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Accept-Encoding "";`
			`proxy_ssl_server_name on;`
			`proxy_ssl_name 484.kitchen;`
			`proxy_hide_header X-Frame-Options;`
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:57:16 +00:00			`add_header X-Frame-Options "SAMEORIGIN" always;`
patches on sxsw ai working api key working container hardened plus many more 2026-03-12 22:19:04 +00:00			`proxy_hide_header Content-Security-Policy;`
			`proxy_connect_timeout 60s;`
			`proxy_read_timeout 60s;`

			`proxy_redirect https://484.kitchen/ /;`
			`sub_filter_once off;`
			`sub_filter_types text/html text/css application/javascript;`
			`}`
			`}`

			`# Arch Presentation (present.l484.com) → port 8903`
			`server {`
			`listen 8903;`
			`server_name _;`
fix: move resolver directives into server blocks in external-app-proxies Prevents duplicate resolver directive error when both nginx-archipelago.conf and external-app-proxies.conf are loaded at http context level. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-04-11 16:57:58 -04:00			`resolver 1.1.1.1 8.8.8.8 valid=300s;`
			`resolver_timeout 5s;`
patches on sxsw ai working api key working container hardened plus many more 2026-03-12 22:19:04 +00:00
			`location / {`
			`set $upstream_present https://present.l484.com;`
			`proxy_pass $upstream_present;`
			`proxy_http_version 1.1;`
			`proxy_set_header Host present.l484.com;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Accept-Encoding "";`
			`proxy_ssl_server_name on;`
			`proxy_ssl_name present.l484.com;`
			`proxy_hide_header X-Frame-Options;`
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-18 00:57:16 +00:00			`add_header X-Frame-Options "SAMEORIGIN" always;`
patches on sxsw ai working api key working container hardened plus many more 2026-03-12 22:19:04 +00:00			`proxy_hide_header Content-Security-Policy;`
			`proxy_connect_timeout 60s;`
			`proxy_read_timeout 60s;`

			`proxy_redirect https://present.l484.com/ /;`
			`sub_filter_once off;`
			`sub_filter_types text/html text/css application/javascript;`
			`}`
			`}`