fix: nginx AIUI SPA routing and session gate cleanup
Backport from .228 live server: - AIUI: use SPA fallback (try_files → /aiui/index.html) for client-side routing - Remove cookie_session gates from AIUI proxies (API key managed by proxy) - Apply to both HTTP and HTTPS server blocks Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
07808a95c4
commit
7409cdaac2
@ -19,13 +19,11 @@ server {
|
|||||||
add_header X-DNS-Prefetch-Control "off" always;
|
add_header X-DNS-Prefetch-Control "off" always;
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
||||||
|
|
||||||
# AIUI SPA (Chat mode iframe)
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
||||||
# Use =404 fallback instead of index.html to prevent serving HTML with wrong
|
|
||||||
# MIME type when JS/CSS files are missing (causes module script MIME errors)
|
|
||||||
location /aiui/ {
|
location /aiui/ {
|
||||||
alias /opt/archipelago/web-ui/aiui/;
|
alias /opt/archipelago/web-ui/aiui/;
|
||||||
index index.html;
|
index index.html;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ /aiui/index.html;
|
||||||
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -40,7 +38,6 @@ server {
|
|||||||
proxy_pass http://127.0.0.1:3142/;
|
proxy_pass http://127.0.0.1:3142/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
# Connection header managed by nginx default
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
proxy_cache off;
|
proxy_cache off;
|
||||||
@ -49,15 +46,11 @@ server {
|
|||||||
proxy_send_timeout 120s;
|
proxy_send_timeout 120s;
|
||||||
}
|
}
|
||||||
|
|
||||||
# AIUI OpenRouter API proxy — requires valid session cookie
|
# AIUI OpenRouter API proxy (API key managed by proxy, no session gate needed)
|
||||||
location /aiui/api/openrouter/ {
|
location /aiui/api/openrouter/ {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass https://openrouter.ai/api/;
|
proxy_pass https://openrouter.ai/api/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host openrouter.ai;
|
proxy_set_header Host openrouter.ai;
|
||||||
# Connection header managed by nginx default
|
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
proxy_connect_timeout 120s;
|
proxy_connect_timeout 120s;
|
||||||
proxy_read_timeout 120s;
|
proxy_read_timeout 120s;
|
||||||
@ -66,9 +59,6 @@ server {
|
|||||||
|
|
||||||
# AIUI Ollama (local AI) proxy — localhost:11434
|
# AIUI Ollama (local AI) proxy — localhost:11434
|
||||||
location /aiui/api/ollama/ {
|
location /aiui/api/ollama/ {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass http://127.0.0.1:11434/;
|
proxy_pass http://127.0.0.1:11434/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
@ -77,14 +67,10 @@ server {
|
|||||||
proxy_cache off;
|
proxy_cache off;
|
||||||
proxy_connect_timeout 120s;
|
proxy_connect_timeout 120s;
|
||||||
proxy_read_timeout 300s;
|
proxy_read_timeout 300s;
|
||||||
# Connection header managed by nginx default
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# AIUI web search proxy — SearXNG on port 8888
|
# AIUI web search proxy — SearXNG on port 8888
|
||||||
location /aiui/api/web-search {
|
location /aiui/api/web-search {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass http://127.0.0.1:8888/search;
|
proxy_pass http://127.0.0.1:8888/search;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
@ -741,21 +727,17 @@ server {
|
|||||||
add_header X-DNS-Prefetch-Control "off" always;
|
add_header X-DNS-Prefetch-Control "off" always;
|
||||||
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https://*.basemaps.cartocdn.com https://tile.openstreetmap.org; font-src 'self' data:; connect-src 'self' ws: wss: http://$host:* https:; frame-src 'self' http://$host:* https:; frame-ancestors 'self'; base-uri 'self'; form-action 'self';" always;
|
||||||
|
|
||||||
# AIUI SPA (Chat mode iframe)
|
# AIUI SPA (Chat mode iframe) — SPA fallback for client-side routing
|
||||||
location /aiui/ {
|
location /aiui/ {
|
||||||
alias /opt/archipelago/web-ui/aiui/;
|
alias /opt/archipelago/web-ui/aiui/;
|
||||||
index index.html;
|
index index.html;
|
||||||
try_files $uri $uri/ =404;
|
try_files $uri $uri/ /aiui/index.html;
|
||||||
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
||||||
}
|
}
|
||||||
location /aiui/api/claude/ {
|
location /aiui/api/claude/ {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass http://127.0.0.1:3142/;
|
proxy_pass http://127.0.0.1:3142/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
# Connection header managed by nginx default
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_buffering off;
|
proxy_buffering off;
|
||||||
proxy_cache off;
|
proxy_cache off;
|
||||||
@ -764,9 +746,6 @@ server {
|
|||||||
proxy_send_timeout 120s;
|
proxy_send_timeout 120s;
|
||||||
}
|
}
|
||||||
location /aiui/api/ollama/ {
|
location /aiui/api/ollama/ {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass http://127.0.0.1:11434/;
|
proxy_pass http://127.0.0.1:11434/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host $host;
|
proxy_set_header Host $host;
|
||||||
@ -775,16 +754,11 @@ server {
|
|||||||
proxy_cache off;
|
proxy_cache off;
|
||||||
proxy_connect_timeout 120s;
|
proxy_connect_timeout 120s;
|
||||||
proxy_read_timeout 300s;
|
proxy_read_timeout 300s;
|
||||||
# Connection header managed by nginx default
|
|
||||||
}
|
}
|
||||||
location /aiui/api/openrouter/ {
|
location /aiui/api/openrouter/ {
|
||||||
if ($cookie_session = "") {
|
|
||||||
return 401 '{"error":"Unauthorized"}';
|
|
||||||
}
|
|
||||||
proxy_pass https://openrouter.ai/api/;
|
proxy_pass https://openrouter.ai/api/;
|
||||||
proxy_http_version 1.1;
|
proxy_http_version 1.1;
|
||||||
proxy_set_header Host openrouter.ai;
|
proxy_set_header Host openrouter.ai;
|
||||||
# Connection header managed by nginx default
|
|
||||||
proxy_ssl_server_name on;
|
proxy_ssl_server_name on;
|
||||||
proxy_connect_timeout 120s;
|
proxy_connect_timeout 120s;
|
||||||
proxy_read_timeout 120s;
|
proxy_read_timeout 120s;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user