server { listen 80 default_server; listen [::]:80 default_server; server_name _; error_log /dev/stderr warn; access_log /dev/stdout main; client_max_body_size 1000m; ignore_invalid_headers off; proxy_buffering off; # port_in_redirect off; location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/html; break; } location = /.well-known/acme-challenge/ { return 404; } location /app { proxy_pass http://127.0.0.1:4001; } location /embed { rewrite /embed/(.*) /app/$1 break; proxy_pass http://127.0.0.1:4001; proxy_redirect off; proxy_set_header Host $host; proxy_set_header x-budibase-embed "true"; add_header x-budibase-embed "true"; add_header Content-Security-Policy "frame-ancestors *"; } location = / { proxy_pass http://127.0.0.1:4001; } location ~ ^/(builder|app_) { proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:4001; } location ~ ^/api/(system|admin|global)/ { proxy_pass http://127.0.0.1:4002; } location /worker/ { proxy_pass http://127.0.0.1:4002; rewrite ^/worker/(.*)$ /$1 break; } location /api/backups/ { # calls to export apps are limited limit_req zone=ratelimit burst=20 nodelay; # 1800s timeout for app export requests proxy_read_timeout 1800s; proxy_connect_timeout 1800s; proxy_send_timeout 1800s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:4001; } location /api/ { # calls to the API are rate limited with bursting limit_req zone=ratelimit burst=20 nodelay; # 120s timeout on API requests proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:4001; } location /db/ { proxy_pass http://127.0.0.1:5984; rewrite ^/db/(.*)$ /$1 break; } location /socket/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_pass http://127.0.0.1:4001; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://127.0.0.1:9000; } location /files/signed/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # IMPORTANT: Signed urls will inspect the host header of the request. # Normally a signed url will need to be generated with a specified client host in mind. # To support dynamic hosts, e.g. some unknown self-hosted installation url, # use a predefined host header. The host 'minio-service' is also used at the time of url signing. proxy_set_header Host minio-service; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://127.0.0.1:9000; rewrite ^/files/signed/(.*)$ /$1 break; } client_header_timeout 60; client_body_timeout 60; keepalive_timeout 60; # gzip gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; }