spaces/nginx.conf at main · hackclub/spaces · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    upstream api {
        server localhost:3000;
    }

    server {
        listen 80;
        server_name localhost;

        resolver 127.0.0.11 valid=30s;

        location /api {
            proxy_pass http://api;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # Port forwarding - matches /8080/workspace, /3001/file.txt, etc.
        # Routes to localhost ports (e.g., /44831/workspace -> localhost:44831/44831/workspace)
        location ~ ^/(\d+)(/.*)?$ {
            set $port $1;
            set $fullpath $uri;
            set $target 127.0.0.1:$port;

            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }

            proxy_pass http://$target$fullpath$is_args$args;
            proxy_set_header Host localhost:$port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;

            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";

            # Additional headers for better compatibility
            proxy_set_header X-Forwarded-Host localhost:$port;
            proxy_set_header X-Forwarded-Server localhost;
            proxy_set_header X-Forwarded-Port $port;
            proxy_buffering off;

            # Handle authentication responses properly
            proxy_intercept_errors off;
        }

        # Port forwarding for KiCad - matches /kicad/space/8080, /kicad/space/3001, etc.
        # Routes to localhost ports using HTTPS (for KiCad containers)
        location ~ ^/kicad/space/(\d+)(/.*)?$ {
            set $port $1;
            set $path $2;
            set $target 127.0.0.1:$port;

            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }

            proxy_pass https://$target$path$is_args$args;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;

            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;

            # Additional headers for better compatibility
            proxy_buffering off;
            proxy_read_timeout 86400;

            # Handle authentication responses properly
            proxy_intercept_errors off;

            # SSL verification settings for self-signed certificates
            proxy_ssl_verify off;
            proxy_ssl_server_name off;
        }

        # Port forwarding - matches /space/8080, /space/3001, etc.
        # Routes to localhost ports (containers running in Docker-in-Docker)
        location ~ ^/space/(\d+)(/.*)?$ {
            set $port $1;
            set $path $2;
            set $target 127.0.0.1:$port;

            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }

            proxy_pass http://$target$path$is_args$args;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;

            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;

            # Additional headers for better compatibility
            proxy_buffering off;
            proxy_read_timeout 86400;

            # Handle authentication responses properly
            proxy_intercept_errors off;
        }

        # Godot web exports with SharedArrayBuffer support
        location /godot {
            alias /app/playground/godot;
            absolute_redirect off;
            add_header Cross-Origin-Opener-Policy same-origin;
            add_header Cross-Origin-Embedder-Policy require-corp;
            try_files $uri $uri/ =404;
        }

        # Serve static frontend files - must be last
        location / {
            root /app/client/dist;
            try_files $uri $uri/ /index.html;
        }

    }
}