Some checks failed
verify / verify (push) Has been cancelled
Separate local parsing from model indexing, bind review decisions to immutable manifests, persist vectors behind active profiles, and expose retrieval, chat, evaluation, and document workflows through the React workbench. Constraint: Live Bailian authentication currently fails for all three configured capabilities Rejected: Direct upload-to-embedding flow | bypasses local review and manifest binding Confidence: high Scope-risk: broad Directive: Keep private-data deployment blocked until authentication, RBAC, and separate database roles land Tested: make verify; fresh and replay Docker document smoke; worker recovery smoke; frozen synthetic evaluation; migration 0003-0004 roundtrip Not-tested: Successful live Bailian calls, OCR, real multi-user authorization
115 lines
3.7 KiB
Nginx Configuration File
115 lines
3.7 KiB
Nginx Configuration File
pid /tmp/nginx.pid;
|
|
|
|
worker_processes auto;
|
|
|
|
error_log /dev/stderr notice;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
access_log /dev/stdout;
|
|
|
|
client_body_temp_path /tmp/client_temp;
|
|
proxy_temp_path /tmp/proxy_temp;
|
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
scgi_temp_path /tmp/scgi_temp;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
keepalive_timeout 65s;
|
|
server_tokens off;
|
|
|
|
gzip on;
|
|
gzip_comp_level 5;
|
|
gzip_min_length 1024;
|
|
gzip_proxied any;
|
|
gzip_types
|
|
application/javascript
|
|
application/json
|
|
application/xml
|
|
image/svg+xml
|
|
text/css
|
|
text/plain;
|
|
|
|
# FastAPI's development Swagger page currently references versioned assets
|
|
# from jsDelivr and uses an inline bootstrap script. Keep that exception
|
|
# scoped to /docs; the React application retains the strict self-only policy.
|
|
map $uri $content_security_policy {
|
|
~^/docs(?:/|$) "default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data: https://fastapi.tiangolo.com; object-src 'none'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net";
|
|
default "default-src 'self'; base-uri 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'none'; img-src 'self' data:; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'";
|
|
}
|
|
|
|
resolver 127.0.0.11 valid=10s ipv6=off;
|
|
|
|
upstream gateway_upstream {
|
|
zone gateway_upstream 64k;
|
|
server gateway:8000 resolve;
|
|
keepalive 32;
|
|
}
|
|
|
|
server {
|
|
listen 8080;
|
|
server_name _;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
client_max_body_size 100m;
|
|
|
|
add_header Content-Security-Policy $content_security_policy always;
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
add_header Cross-Origin-Resource-Policy "same-origin" always;
|
|
add_header Permissions-Policy "camera=(), geolocation=(), microphone=()" always;
|
|
add_header Referrer-Policy "no-referrer" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
|
|
location = /nginx-health {
|
|
access_log off;
|
|
default_type text/plain;
|
|
return 200 "ok\n";
|
|
}
|
|
|
|
location ~ /\.(?!well-known(?:/|$)) {
|
|
deny all;
|
|
}
|
|
|
|
# Keep all browser API traffic same-origin. Buffering is disabled so
|
|
# event-stream responses can be delivered incrementally end to end.
|
|
location ~ ^/(?:api(?:/|$)|health(?:/|$)|docs(?:/|$)|openapi\.json$) {
|
|
proxy_pass http://gateway_upstream;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_buffering off;
|
|
proxy_cache off;
|
|
proxy_request_buffering off;
|
|
proxy_read_timeout 300s;
|
|
proxy_send_timeout 300s;
|
|
}
|
|
|
|
location ^~ /assets/ {
|
|
expires 1y;
|
|
try_files $uri =404;
|
|
}
|
|
|
|
location = /index.html {
|
|
expires -1;
|
|
try_files /index.html =404;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|
|
}
|