lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/image-recipe/configs/snippets/archipelago-https-app-proxies.conf

359 lines
14 KiB
Plaintext
Raw Normal View History

chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
# App proxies for HTTPS - avoids mixed content when embedding apps from HTTPS page
# Complete list for all apps that may be launched from the UI
location /app/grafana/ {
proxy_pass http://127.0.0.1:3000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/uptime-kuma/ {
proxy_pass http://127.0.0.1:3001/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/searxng/ {
proxy_pass http://127.0.0.1:8888/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/portainer/ {
proxy_pass http://127.0.0.1:9000/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/filebrowser/ {
client_max_body_size 10G;
proxy_pass http://127.0.0.1:8083/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
proxy_request_buffering off;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/endurain/ {
proxy_pass http://127.0.0.1:8080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/lnd/ {
proxy_pass http://127.0.0.1:8081/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/onlyoffice/ {
fix: correct port mappings for all container iframes/tabs Nginx (HTTP+HTTPS): OnlyOffice 9980→8044, Fedimint 8175→8174, NPM 81→8181, Tailscale removed (no web UI). Frontend: corrected APP_PORTS, added HTTPS_PROXY_PATHS for portainer/ npm/uptime-kuma/homeassistant/vaultwarden/photoprism/fedimintd. Added portainer/onlyoffice/npm to NEW_TAB_APPS (X-Frame-Options). Backend: PodmanClient + docker_packages port corrections. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 16:56:17 +00:00
proxy_pass http://127.0.0.1:8044/;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/jellyfin/ {
proxy_pass http://127.0.0.1:8096/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/photoprism/ {
proxy_pass http://127.0.0.1:2342/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/mempool/ {
proxy_pass http://127.0.0.1:4080/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/fedimint/ {
fix: Fedimint Guardian UI on port 8175 (not 8174 API) Fedimintd serves JSON-RPC API on 8174 and Guardian web UI on 8175. Updated all port mappings: frontend AppSession, nginx HTTP/HTTPS proxies, PodmanClient static map. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 17:31:07 +00:00
proxy_pass http://127.0.0.1:8175/;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
fix: prevent tokio runtime deadlock in credential issue/verify The credential issuance and verification handlers used Handle::block_on() directly inside the tokio runtime, causing a deadlock. Wrapped with block_in_place() to properly yield the runtime thread. Also completed full feature verification across all 25 test groups (~175 checks) on live server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:43:12 +00:00
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
fix: prevent tokio runtime deadlock in credential issue/verify The credential issuance and verification handlers used Handle::block_on() directly inside the tokio runtime, causing a deadlock. Wrapped with block_in_place() to properly yield the runtime thread. Also completed full feature verification across all 25 test groups (~175 checks) on live server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:43:12 +00:00
proxy_hide_header Content-Security-Policy;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
fix: prevent tokio runtime deadlock in credential issue/verify The credential issuance and verification handlers used Handle::block_on() directly inside the tokio runtime, causing a deadlock. Wrapped with block_in_place() to properly yield the runtime thread. Also completed full feature verification across all 25 test groups (~175 checks) on live server. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-09 07:43:12 +00:00
}
location /app/fedimint-gateway/ {
proxy_pass http://127.0.0.1:8176/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/tailscale/ {
fix: container stability, OnlyOffice removal, node bootstrapping, UI fixes Container orchestration: - Add --network-alias to all archy-net containers (fixes Podman DNS) - Fix bitcoin-knots health check: expand $BITCOIN_RPC_PASS at creation - Increase bitcoin-knots memory limit to 4g, reduce dbcache to 2048 - Enable podman-restart.service in ISO for auto-start on boot - Fix UI container Dockerfiles: ENTRYPOINT [], user root for rootless App changes: - Remove OnlyOffice (incompatible with rootless Podman) - Replace with CryptPad reference (single-process, e2e encrypted) - Fix NPM port mapping: 8181 → 81 - Fix OnlyOffice port mapping: 8044 → 9980 (now CryptPad: 3003) AIUI & proxy: - Add MODEL_MAP to claude-api-proxy (ISO + deploy) - Map legacy model IDs (claude-haiku-4.5 → claude-haiku-4-5-20251001) Kiosk: - Move chromium-kiosk data dir to /var/lib/archipelago (data partition) - Remove --metrics-recording-only (contradicted --disable-metrics) Node bootstrapping: - Add bootstrap-switchover.sh for live node updates - ElectrumX UI improvements and nginx proxy fixes - LND UI nginx config updates Backend: - Bitcoin health check uses .cookie auth (no plaintext creds) - ElectrumX status endpoint improvements - Network alias flag in install.rs for DNS reliability Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-02 16:15:04 +01:00
# Tailscale has no web UI — managed via CLI/Tailscale app
default_type application/json;
return 503 '{"error":{"code":"NO_WEB_UI","message":"Tailscale is managed via CLI"}}';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings Critical: - BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml This caused ALL ISOs to show v1.3.0 regardless of actual binary version Kiosk: - Remove --disable-gpu flags (broke display scaling on some monitors) - Add --start-fullscreen --window-size for reliable fullscreen New apps: - Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen, Call the Operator, Arch Presentation, Syntropy Institute, T-0 Rust: suppress dead_code and unused_assignments warnings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
location /app/routstr/ {
proxy_pass http://127.0.0.1:8200/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
location /app/nostr-vpn/ {
feat: add Nostr VPN, FIPS, Routstr apps with status UIs Add three new marketplace apps: - Routstr (v0.4.3): Decentralized AI inference proxy with Cashu payments - Nostr VPN (v0.3.4): Mesh VPN with Nostr signaling + WireGuard tunnels - FIPS (v0.1.0): Self-organizing encrypted mesh network Includes status UI dashboards for headless apps (nostr-vpn-ui, fips-ui) with usage instructions, node identity display, and container logs. Nostr identity injected via env vars for all three apps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 05:06:45 +01:00
proxy_pass http://127.0.0.1:8201/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
fix: BUILD_VERSION from Cargo.toml, kiosk scaling, new apps, Rust warnings Critical: - BUILD_VERSION was hardcoded as "1.3.0-alpha" — now reads from Cargo.toml This caused ALL ISOs to show v1.3.0 regardless of actual binary version Kiosk: - Remove --disable-gpu flags (broke display scaling on some monitors) - Add --start-fullscreen --window-size for reliable fullscreen New apps: - Nostr VPN, FIPS, Routstr, noStrudel, BotFights, NWNN, 484 Kitchen, Call the Operator, Arch Presentation, Syntropy Institute, T-0 Rust: suppress dead_code and unused_assignments warnings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-03 00:35:52 +01:00
}
fix: restore FIPS as installable container app FIPS stays in the marketplace as an installable container app. NostrVPN is the native system service; FIPS is a separate optional app. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-07 14:51:13 +01:00
location /app/fips/ {
proxy_pass http://127.0.0.1:8202/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
}
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
location /app/ollama/ {
proxy_pass http://127.0.0.1:11434/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
location /app/bitcoin-ui/ {
proxy_pass http://127.0.0.1:8334/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
feat: botfights container app + mobile gamepad + indeedhub fixes - Promote botfights from external proxy to container app (port 9100) - Add /app/botfights/ nginx proxy rules (HTTP + HTTPS) - Add ARCHY_EMBEDDED env var to botfights container config - Add BOTFIGHTS_IMAGE to image-versions.sh - Add mobile gamepad overlay (D-pad + A/B + START/SELECT) for botfights arcade mode, sends postMessage arcade-input to iframe - Remove old /ext/botfights/ and port 8901 external proxy blocks - IndeeHub: add post-install nginx patching for NIP-07 provider injection - IndeeHub: fix docker image references to registry (was localhost) - IndeeHub: update port 7777 -> 7778 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 16:47:54 -04:00
location /app/botfights/api/ {
proxy_pass http://127.0.0.1:9100/api/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
location /app/botfights/ {
proxy_pass http://127.0.0.1:9100/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_hide_header Cross-Origin-Embedder-Policy;
proxy_hide_header Cross-Origin-Opener-Policy;
proxy_hide_header Cross-Origin-Resource-Policy;
proxy_set_header Accept-Encoding "";
sub_filter_types text/css application/javascript application/json;
sub_filter_once off;
sub_filter 'href="/' 'href="/app/botfights/';
sub_filter 'src="/' 'src="/app/botfights/';
sub_filter "href='/" "href='/app/botfights/";
sub_filter "src='/" "src='/app/botfights/";
feat: dynamic app catalog, Gitea app polish, registry sync App catalog served from Gitea repos (app-catalog) with 35 apps. Nodes fetch catalog dynamically — new apps appear without frontend rebuild. Test app added and removed to verify pipeline. Gitea manifest updated with internal_port/nginx_proxy for iframe. Updated catalog.json, nginx configs, app session configs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-12 08:20:18 -04:00
sub_filter '</head>' '<script src="/nostr-provider.js"></script><script>window.addEventListener("message",function(e){var d=e.data;if(d&&d.type==="arcade-input"&&d.key){var t=d.action==="up"?"keyup":"keydown";document.dispatchEvent(new KeyboardEvent(t,{key:d.key,bubbles:true}))}})</script></head>';
feat: botfights container app + mobile gamepad + indeedhub fixes - Promote botfights from external proxy to container app (port 9100) - Add /app/botfights/ nginx proxy rules (HTTP + HTTPS) - Add ARCHY_EMBEDDED env var to botfights container config - Add BOTFIGHTS_IMAGE to image-versions.sh - Add mobile gamepad overlay (D-pad + A/B + START/SELECT) for botfights arcade mode, sends postMessage arcade-input to iframe - Remove old /ext/botfights/ and port 8901 external proxy blocks - IndeeHub: add post-install nginx patching for NIP-07 provider injection - IndeeHub: fix docker image references to registry (was localhost) - IndeeHub: update port 7777 -> 7778 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 16:47:54 -04:00
}
feat: bitcoin-ui CSS fix, HTTPS proxy support, deploy script improvements Bitcoin UI: - Replace cdn.tailwindcss.com with locally bundled tailwind.css (CSP blocks external scripts) - Make all asset paths relative for nginx proxy compatibility - Add bitcoin-ui build/deploy to deploy-to-target.sh (was missing entirely) - Use --network host (bitcoin-ui proxies Bitcoin RPC at 127.0.0.1:8332) HTTPS mixed content fix: - Add HTTPS_PROXY_PATHS in AppSession.vue — when parent page is HTTPS, iframe loads through nginx proxy instead of direct HTTP port - Prevents browser blocking HTTP iframes inside HTTPS pages - All Tailscale servers use HTTPS, this was breaking all app iframes Deploy & first-boot improvements: - first-boot-containers.sh auto-detects disk size for pruning vs txindex - first-boot-containers.sh checks fallback source path for UI containers - Added mempool-electrs to APP_PORTS mapping - ElectrumX container creation in first-boot - Podman doctor/fix/uptime skills added Also includes: session persistence, identity management, LND transactions, ElectrumX status UI, nostr-provider improvements, Web5 enhancements Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-16 12:58:35 +00:00
location /app/electrumx/ {
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_pass http://127.0.0.1:50002/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
fix: indeedhub staging API, nginx caching, nostr identity and UI improvements Switch IndeedHub to staging API, add _next asset caching in nginx, simplify NostrIdentityPicker component, and update Apps/Web5/Marketplace views. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 19:08:09 +00:00
location /app/indeedhub/_next/ {
bullshit
2026-03-15 00:40:55 +00:00
proxy_pass http://127.0.0.1:7777/_next/;
fix: indeedhub staging API, nginx caching, nostr identity and UI improvements Switch IndeedHub to staging API, add _next asset caching in nginx, simplify NostrIdentityPicker component, and update Apps/Web5/Marketplace views. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 19:08:09 +00:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_cache_valid 200 30d;
add_header Cache-Control "public, max-age=2592000, immutable";
}
bullshit
2026-03-15 00:40:55 +00:00
location /app/indeedhub/ws/ {
proxy_pass http://127.0.0.1:7777/ws/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400s;
}
bug fixes from sxsw
2026-03-14 17:12:41 +00:00
location /app/indeedhub/ {
bullshit
2026-03-15 00:40:55 +00:00
proxy_pass http://127.0.0.1:7777/;
bug fixes from sxsw
2026-03-14 17:12:41 +00:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
bug fixes from sxsw
2026-03-14 17:12:41 +00:00
proxy_hide_header Content-Security-Policy;
proxy_set_header Accept-Encoding "";
bug fixing and deploy and build diagnostics
2026-03-22 03:30:21 +00:00
sub_filter_types text/css application/javascript application/json;
fix: indeedhub staging API, nginx caching, nostr identity and UI improvements Switch IndeedHub to staging API, add _next asset caching in nginx, simplify NostrIdentityPicker component, and update Apps/Web5/Marketplace views. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-14 19:08:09 +00:00
sub_filter_once off;
bullshit
2026-03-15 00:40:55 +00:00
sub_filter 'href="/' 'href="/app/indeedhub/';
sub_filter 'src="/' 'src="/app/indeedhub/';
sub_filter "href='/" "href='/app/indeedhub/";
sub_filter "src='/" "src='/app/indeedhub/";
bug fixes from sxsw
2026-03-14 17:12:41 +00:00
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
}
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
location /app/nginx-proxy-manager/ {
fix: correct port mappings for all container iframes/tabs Nginx (HTTP+HTTPS): OnlyOffice 9980→8044, Fedimint 8175→8174, NPM 81→8181, Tailscale removed (no web UI). Frontend: corrected APP_PORTS, added HTTPS_PROXY_PATHS for portainer/ npm/uptime-kuma/homeassistant/vaultwarden/photoprism/fedimintd. Added portainer/onlyoffice/npm to NEW_TAB_APPS (X-Frame-Options). Backend: PodmanClient + docker_packages port corrections. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 16:56:17 +00:00
proxy_pass http://127.0.0.1:8181/;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Frame-Options;
feat: Phase 6 — nginx security headers, CSP hardening, rate limiting - CSP: removed unsafe-eval, tightened frame-src to self + host ports, added frame-ancestors, base-uri, form-action directives - X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies - HSTS: max-age=31536000; includeSubDomains on all server blocks - Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone - Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00
add_header X-Frame-Options "SAMEORIGIN" always;
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
proxy_hide_header Content-Security-Policy;
feat: inject NIP-07 nostr-provider.js into all nginx app proxy blocks Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-12 23:21:15 +00:00
proxy_set_header Accept-Encoding "";
sub_filter_once on;
sub_filter '</head>' '<script src="/nostr-provider.js"></script></head>';
chore: sync ISO build configs with live server state - Add nginx snippets (PWA, HTTPS app proxies) to image-recipe/configs/ - Update build script Dockerfile to install openssl, generate self-signed SSL cert, copy nginx snippets, and create Cloud dummy directories - Ensures fresh ISO installs have working HTTPS, PWA installability, and pre-created Cloud storage folders Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 08:34:53 +00:00
}
Reference in New Issue Copy Permalink