user www-data;

worker_processes auto;

pid /run/nginx.pid;

error_log /var/log/nginx/error.log;

events {

worker_connections 1024;

}

http {

include /etc/nginx/mime.types; # Required for SVG mime type

default_type application/octet-stream; # Required for SVG mime type

client_max_body_size 100M;

server {

listen 80;

server_name localhost;

location / {

proxy_pass http://localhost:3000;

proxy_http_version 1.1; # Required for WebSocket

proxy_set_header Upgrade $http_upgrade; # WebSocket header

proxy_set_header Connection "upgrade"; # WebSocket header

# Preserve browser host:port (e.g. localhost:5000). $host strips the port

# and breaks Next.js redirects / absolute URLs.

proxy_set_header Host $http_host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-Host $http_host;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

}

location /api/v1/ {

proxy_pass http://localhost:8000;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

# MCP

location /mcp/ {

proxy_pass http://localhost:8001/mcp/;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

location /mcp {

proxy_pass http://localhost:8001/mcp;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

location /docs {

proxy_pass http://localhost:8000/docs;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

location /openapi.json {

proxy_pass http://localhost:8000/openapi.json;

proxy_read_timeout 30m;

proxy_connect_timeout 30m;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Proto $scheme;

}

# Internal auth subrequest used to gate /app_data/* static access behind the

# FastAPI session cookie. Nginx serves these files directly via `alias` for

# performance, so auth_request is what keeps them from being public.

location = /_auth_check {

internal;

proxy_pass http://localhost:8000/api/v1/auth/verify;

proxy_pass_request_body off;

proxy_set_header Content-Length "";

proxy_set_header X-Original-URI $request_uri;

proxy_set_header Host $host;

proxy_set_header Cookie $http_cookie;

}

# Bundled UI static assets (logos, fonts packaged with the app) are safe to

# serve unauthenticated; they contain no user data.

location /static {

alias /app/servers/fastapi/static/;

expires 1y;

add_header Cache-Control "public, immutable";

}

location /app_data/images/ {

auth_request /_auth_check;

alias /app_data/images/;

expires 1y;

add_header Cache-Control "private, max-age=31536000";

}

location /app_data/exports/ {

auth_request /_auth_check;

alias /app_data/exports/;

expires 1y;

add_header Cache-Control "private, max-age=31536000";

}

location /app_data/uploads/ {

auth_request /_auth_check;

alias /app_data/uploads/;

expires 1y;

add_header Cache-Control "private, max-age=31536000";

}

location /app_data/fonts/ {

auth_request /_auth_check;

alias /app_data/fonts/;

expires 1y;

add_header Cache-Control "private, max-age=31536000";

}

location /app_data/pptx-to-html/ {

auth_request /_auth_check;

alias /app_data/pptx-to-html/;

expires 1y;

add_header Cache-Control "private, max-age=31536000";

}

}

}