fix: nginx AIUI SPA routing and session gate cleanup

Backport from .228 live server:
- AIUI: use SPA fallback (try_files → /aiui/index.html) for client-side routing
- Remove cookie_session gates from AIUI proxies (API key managed by proxy)
- Apply to both HTTP and HTTPS server blocks

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian 2026-04-02 10:59:54 +01:00
parent 07808a95c4
commit 7409cdaac2

View File

@ -19,13 +19,11 @@ server {
add_header X-DNS-Prefetch-Control "off" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
# AIUI SPA (Chat mode iframe)
# Use =404 fallback instead of index.html to prevent serving HTML with wrong
# MIME type when JS/CSS files are missing (causes module script MIME errors)
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
index index.html;
try_files $uri $uri/ =404;
try_files $uri $uri/ /aiui/index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
@ -40,7 +38,6 @@ server {
proxy_pass http://127.0.0.1:3142/;
proxy_http_version 1.1;
proxy_set_header Host $host;
# Connection header managed by nginx default
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_cache off;
@ -49,15 +46,11 @@ server {
proxy_send_timeout 120s;
}
# AIUI OpenRouter API proxy — requires valid session cookie
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
location /aiui/api/openrouter/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass https://openrouter.ai/api/;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;
# Connection header managed by nginx default
proxy_ssl_server_name on;
proxy_connect_timeout 120s;
proxy_read_timeout 120s;
@ -66,9 +59,6 @@ server {
# AIUI Ollama (local AI) proxy — localhost:11434
location /aiui/api/ollama/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:11434/;
proxy_http_version 1.1;
proxy_set_header Host $host;
@ -77,14 +67,10 @@ server {
proxy_cache off;
proxy_connect_timeout 120s;
proxy_read_timeout 300s;
# Connection header managed by nginx default
}
# AIUI web search proxy — SearXNG on port 8888
location /aiui/api/web-search {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:8888/search;
proxy_http_version 1.1;
proxy_set_header Host $host;
@ -741,21 +727,17 @@ server {
add_header X-DNS-Prefetch-Control "off" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
# AIUI SPA (Chat mode iframe)
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
location /aiui/ {
alias /opt/archipelago/web-ui/aiui/;
index index.html;
try_files $uri $uri/ =404;
try_files $uri $uri/ /aiui/index.html;
add_header Cache-Control "no-cache, no-store, must-revalidate";
}
location /aiui/api/claude/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:3142/;
proxy_http_version 1.1;
proxy_set_header Host $host;
# Connection header managed by nginx default
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_cache off;
@ -764,9 +746,6 @@ server {
proxy_send_timeout 120s;
}
location /aiui/api/ollama/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass http://127.0.0.1:11434/;
proxy_http_version 1.1;
proxy_set_header Host $host;
@ -775,16 +754,11 @@ server {
proxy_cache off;
proxy_connect_timeout 120s;
proxy_read_timeout 300s;
# Connection header managed by nginx default
}
location /aiui/api/openrouter/ {
if ($cookie_session = "") {
return 401 '{"error":"Unauthorized"}';
}
proxy_pass https://openrouter.ai/api/;
proxy_http_version 1.1;
proxy_set_header Host openrouter.ai;
# Connection header managed by nginx default
proxy_ssl_server_name on;
proxy_connect_timeout 120s;
proxy_read_timeout 120s;