tacit/nanochat
1
0
Fork 0
mirror of https://github.com/karpathy/nanochat.git synced 2026-05-09 01:10:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f642cb2eb6
nanochat/nginx/nginx.conf
Manmohan 67f568a4f2
fix(nginx): re-resolve upstream IPs so deploys don't break auth (#43) 
When docker compose recreates a service, it gets a new internal IP.
nginx was resolving upstream hostnames once at startup and serving 502
until someone manually restarted it — which is what broke /api/auth
after the last deploy.

Uses Docker Compose's embedded DNS (127.0.0.11) and moves each
proxy_pass onto a variable so nginx re-resolves every request.
Rewrites replace the path-stripping behavior that variable-form
proxy_pass doesn't provide out of the box.

Also adds a `nginx -t && nginx -s reload` step in the deploy workflow
so future nginx.conf edits land without manual ssh.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 20:41:01 -04:00

96 lines
3.5 KiB
Nginx Configuration File
Raw Blame History

events { worker_connections 1024; }
http {
# Rate limiting
limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s;
# Redirect HTTP → HTTPS
server {
listen 80;
server_name samosachaat.art www.samosachaat.art;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name samosachaat.art www.samosachaat.art;
ssl_certificate /etc/letsencrypt/live/samosachaat.art/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/samosachaat.art/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
client_max_body_size 10M;
# Use Docker Compose's embedded DNS so upstream IPs are re-resolved
# on every request. Without this nginx caches the IP at startup and
# serves 502s after any upstream container is recreated by `compose up`.
resolver 127.0.0.11 valid=10s ipv6=off;
# Auth service — strip /api prefix, then forward to auth:8001/auth/...
location /api/auth/ {
limit_req zone=api burst=10 nodelay;
set $upstream_auth auth;
rewrite ^/api/auth/(.*)$ /auth/$1 break;
proxy_pass http://$upstream_auth:8001;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Chat API — pass through /api/conversations* unchanged
location /api/conversations {
limit_req zone=api burst=20 nodelay;
set $upstream_chat chat-api;
proxy_pass http://$upstream_chat:8002;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE streaming support
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 300s;
proxy_set_header Connection '';
chunked_transfer_encoding off;
}
# Grafana (optional) — strip /grafana/ prefix
location /grafana/ {
set $upstream_grafana grafana;
rewrite ^/grafana/(.*)$ /$1 break;
proxy_pass http://$upstream_grafana:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Everything else → Frontend (Next.js)
# Next.js handles its own /api/* routes (conversations, chat/stream)
# and proxies to backend services internally via CHAT_API_URL env var
location / {
set $upstream_frontend frontend;
proxy_pass http://$upstream_frontend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# SSE streaming support
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 300s;
proxy_set_header Connection '';
chunked_transfer_encoding off;
# WebSocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
Reference in New Issue View Git Blame Copy Permalink