server { listen 80; server_name _; root /usr/share/nginx/html; index index.html; # Gzip gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # Backend API proxy (same network namespace via netbird-client) # Using 127.0.0.1 instead of localhost to force IPv4 (avoids IPv6 connection issues) # Note: proxy_pass without URI preserves URL encoding (important for paths with %2F) location /api/ { proxy_pass http://127.0.0.1:3001; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Always HTTPS since NPM handles SSL termination (required for secure cookies) proxy_set_header X-Forwarded-Proto https; } # Auth routes proxy location /auth/ { proxy_pass http://127.0.0.1:3001/auth/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Always HTTPS since NPM handles SSL termination proxy_set_header X-Forwarded-Proto https; } # WebSocket proxy for Claude sessions location /ws { proxy_pass http://127.0.0.1:3001; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # Always HTTPS since NPM handles SSL termination proxy_set_header X-Forwarded-Proto https; proxy_read_timeout 86400; proxy_send_timeout 86400; } # SPA routing for frontend location / { try_files $uri $uri/ /index.html; } # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ { expires 1y; add_header Cache-Control "public, immutable"; } }