user nginx; error_log /var/log/nginx/error.log debug; pid /var/run/nginx.pid; worker_processes auto; worker_rlimit_nofile 33282; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; proxy_set_header Host $host; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' 'response_time=$upstream_response_time proxy_host=$proxy_host upstream_addr=$upstream_addr'; access_log /var/log/nginx/access.log main; map $http_upgrade $connection_upgrade { default "upgrade"; } upstream app-service { server ${PROXY_ADDRESS}:4001; keepalive 32; } upstream worker-service { server ${PROXY_ADDRESS}:4002; keepalive 32; } upstream builder { server ${PROXY_ADDRESS}:3000; keepalive 32; } server { listen 10000 default_server; server_name _; client_max_body_size 50000m; ignore_invalid_headers off; proxy_buffering off; set $csp_default "default-src 'self'"; set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io https://d2l5prqdbvm3op.cloudfront.net https://us-assets.i.posthog.com"; set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com"; set $csp_object "object-src 'none'"; set $csp_base_uri "base-uri 'self'"; set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io https://api-ping.intercom.io https://app.posthog.com https://us.i.posthog.com wss://nexus-websocket-a.intercom.io wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io https://uploads.intercomcdn.com https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com"; set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com https://js.intercomcdn.com https://fonts.intercomcdn.com"; set $csp_frame "frame-src 'self' https:"; set $csp_img "img-src http: https: data: blob:"; set $csp_manifest "manifest-src 'self'"; set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; set $csp_worker "worker-src blob:"; add_header Content-Security-Policy "${csp_default}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always; error_page 502 503 504 /error.html; location = /error.html { root /usr/share/nginx/html; internal; } location /db/ { proxy_pass http://couchdb-service:5984; rewrite ^/db/(.*)$ /$1 break; } location ~ ^/api/(system|admin|global)/ { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://worker-service; } location /api/backups/ { proxy_read_timeout 1800s; proxy_connect_timeout 1800s; proxy_send_timeout 1800s; proxy_pass http://app-service; proxy_http_version 1.1; proxy_set_header Connection ""; } location /api/ { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://app-service; } location = / { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://app-service; } location /app_ { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://app-service; } location /app { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://app-service; } location /embed { rewrite /embed/(.*) /app/$1 break; proxy_pass http://app-service; proxy_redirect off; proxy_set_header Host $host; proxy_set_header x-budibase-embed "true"; add_header x-budibase-embed "true"; add_header Content-Security-Policy "frame-ancestors *"; } location /builder { proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection ""; proxy_pass http://builder; rewrite ^/builder(.*)$ /builder/$1 break; } location /builder/ { proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Connection $connection_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; proxy_pass http://builder; } location /vite/ { proxy_pass http://builder; proxy_read_timeout 120s; proxy_connect_timeout 120s; proxy_send_timeout 120s; rewrite ^/vite(.*)$ /$1 break; } location /socket/ { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; proxy_pass http://app-service; } location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $http_host; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://minio-service:9000; } location /files/signed/ { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # IMPORTANT: Signed urls will inspect the host header of the request. # Normally a signed url will need to be generated with a specified client host in mind. # To support dynamic hosts, e.g. some unknown self-hosted installation url, # use a predefined host header. The host 'minio-service' is also used at the time of url signing. proxy_set_header Host minio-service; proxy_connect_timeout 300; proxy_http_version 1.1; proxy_set_header Connection ""; chunked_transfer_encoding off; proxy_pass http://minio-service:9000; rewrite ^/files/signed/(.*)$ /$1 break; } client_header_timeout 60; client_body_timeout 60; keepalive_timeout 60; gzip off; gzip_comp_level 4; } }