server { listen 80; listen 100.91.10.103:80; server_name _; root /opt/archipelago/web-ui; index index.html; # AIUI SPA (Chat mode iframe) location /aiui/ { alias /opt/archipelago/web-ui/aiui/; index index.html; try_files $uri $uri/ /aiui/index.html; } # AIUI Claude API proxy — routes through claude-proxy service (port 3141) location /aiui/api/claude/ { proxy_pass http://127.0.0.1:3141/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_buffering off; proxy_cache off; proxy_connect_timeout 120s; proxy_read_timeout 300s; proxy_send_timeout 120s; } # AIUI OpenRouter API proxy location /aiui/api/openrouter/ { proxy_pass https://openrouter.ai/api/; proxy_http_version 1.1; proxy_set_header Host openrouter.ai; proxy_set_header Connection ""; proxy_ssl_server_name on; proxy_connect_timeout 120s; proxy_read_timeout 120s; proxy_send_timeout 120s; } # AIUI web search proxy — SearXNG on port 8888 location /aiui/api/web-search { proxy_pass http://127.0.0.1:8888/search; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_connect_timeout 30s; proxy_read_timeout 30s; error_page 502 503 =503 @searxng_unavailable; } location @searxng_unavailable { default_type application/json; return 503 '{"error":"SearXNG is not running"}'; } # Icons, favicon, manifest — always revalidate (no heuristic caching) location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) { add_header Cache-Control "no-cache, must-revalidate"; try_files $uri =404; } # Serve static files (Vue.js SPA) location / { try_files $uri $uri/ /index.html; } # Peer-to-peer node messaging (receives from other nodes over Tor) location /archipelago/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } # Proxy API requests to backend location /rpc/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; # Increase timeout for long-running operations (e.g., Docker image pulls) proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; } # Proxy apps that set X-Frame-Options - strip header so iframe works location /app/nextcloud/ { proxy_pass http://127.0.0.1:8085/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/vaultwarden/ { proxy_pass http://127.0.0.1:8082/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/immich/ { proxy_pass http://127.0.0.1:2283/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/penpot/ { proxy_pass http://127.0.0.1:9001/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/filebrowser/ { client_max_body_size 10G; proxy_pass http://127.0.0.1:8083/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_request_buffering off; } location /app/grafana/ { proxy_pass http://127.0.0.1:3000/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/jellyfin/ { proxy_pass http://127.0.0.1:8096/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/uptime-kuma/ { proxy_pass http://127.0.0.1:3001/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/portainer/ { proxy_pass http://127.0.0.1:9000/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/onlyoffice/ { proxy_pass http://127.0.0.1:9980/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } # Remaining apps (also available on HTTPS via snippet include) location /app/searxng/ { proxy_pass http://127.0.0.1:8888/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/lnd/ { proxy_pass http://127.0.0.1:8081/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/mempool/ { proxy_pass http://127.0.0.1:4080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/photoprism/ { proxy_pass http://127.0.0.1:2342/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/fedimint/ { proxy_pass http://127.0.0.1:8175/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/tailscale/ { proxy_pass http://127.0.0.1:8240/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/ollama/ { proxy_pass http://127.0.0.1:11434/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/bitcoin-ui/ { proxy_pass http://127.0.0.1:8334/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/electrs/ { proxy_pass http://127.0.0.1:50002/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/endurain/ { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/nginx-proxy-manager/ { proxy_pass http://127.0.0.1:81/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/btcpay/ { proxy_pass http://127.0.0.1:23000/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/homeassistant/ { proxy_pass http://127.0.0.1:8123/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } # Proxy WebSocket location /ws { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; # WebSocket timeout proxy_read_timeout 86400s; } } # HTTPS - required for PWA install (Add to Home Screen) from dev servers server { listen 443 ssl; server_name _; ssl_certificate /etc/archipelago/ssl/archipelago.crt; ssl_certificate_key /etc/archipelago/ssl/archipelago.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; root /opt/archipelago/web-ui; index index.html; include snippets/archipelago-pwa.conf; # AIUI SPA (Chat mode iframe) location /aiui/ { alias /opt/archipelago/web-ui/aiui/; index index.html; try_files $uri $uri/ =404; } location /aiui/api/claude/ { proxy_pass http://127.0.0.1:3141/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_set_header X-Real-IP $remote_addr; proxy_buffering off; proxy_cache off; proxy_connect_timeout 120s; proxy_read_timeout 300s; proxy_send_timeout 120s; } location /aiui/api/openrouter/ { proxy_pass https://openrouter.ai/api/; proxy_http_version 1.1; proxy_set_header Host openrouter.ai; proxy_set_header Connection ""; proxy_ssl_server_name on; proxy_connect_timeout 120s; proxy_read_timeout 120s; proxy_send_timeout 120s; } # Icons, favicon, manifest — always revalidate (no heuristic caching) location ~* ^/(favicon\.ico|manifest\.webmanifest|assets/icon/) { add_header Cache-Control "no-cache, must-revalidate"; try_files $uri =404; } location / { try_files $uri $uri/ /index.html; } location /archipelago/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } location /rpc/ { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_connect_timeout 600s; proxy_send_timeout 600s; proxy_read_timeout 600s; } location /app/nextcloud/ { proxy_pass http://127.0.0.1:8085/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/vaultwarden/ { proxy_pass http://127.0.0.1:8082/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/immich/ { proxy_pass http://127.0.0.1:2283/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/penpot/ { proxy_pass http://127.0.0.1:9001/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 300s; proxy_send_timeout 300s; } location /app/btcpay/ { proxy_pass http://127.0.0.1:23000/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; } location /app/homeassistant/ { proxy_pass http://127.0.0.1:8123/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_hide_header X-Frame-Options; proxy_hide_header Content-Security-Policy; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } # All remaining app proxies (mempool, fedimint, lnd, bitcoin-ui, etc.) include snippets/archipelago-https-app-proxies.conf; location /ws { proxy_pass http://127.0.0.1:5678; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_read_timeout 86400s; } }