feat: nginx config for self hosting

[amhsirak]

closes #551

Summary by CodeRabbit

• Chores
  • Updated server configuration to improve handling of static files and API requests.
  • Consolidated backend proxy rules and enhanced request forwarding headers for better client IP tracking.

[coderabbitai]

Walkthrough

The nginx configuration file was updated to streamline and centralize its handling of frontend and backend requests. The server block now explicitly sets the server name and document root. The frontend location serving was simplified, and all backend API-related proxying was consolidated into a single regex-based location block. Additional proxy headers for real IP and forwarding were added, and some timeout and cache bypass directives were removed. Proxy connection handling was clarified, and error handling directives were removed from the proxy block.

Changes

File(s)	Change Summary
nginx.conf	Simplified frontend serving, consolidated multiple backend proxy locations into one regex-based block, added real IP headers, removed some timeout/cache directives and error handling, updated connection handling, and clarified server root and name.

Assessment against linked issues

Objective (Issue #)	Addressed	Explanation
NGINX config improvements (#551)	✅

Poem

In the warren of configs, I hop and I tweak,
With regex and headers, I find what you seek.
One proxy to rule them, so tidy and neat,
The frontend and backend now seamlessly meet.
🐰✨ NGINX, you’re nimble—just like my feet!

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (4)

nginx.conf (4)

3-3: Consider specifying explicit server names for production.

While server_name _; works as a catch-all configuration for development, in production environments it's generally better to specify the exact domain names your application will serve. This improves security by preventing unexpected domain name binding.

- server_name _;
+ server_name yourdomain.com www.yourdomain.com;

---

15-15: Consider parameterizing the backend service location.

The hardcoded localhost:8080 with an inline comment "change as per your setup" suggests this might need customization in different environments. Consider using environment variables or including conditional configurations for different deployment environments.

- proxy_pass http://localhost:8080; # change as per your setup
+ proxy_pass ${BACKEND_URL}; # Configured via environment variable

Or alternatively, create environment-specific include files:

- proxy_pass http://localhost:8080; # change as per your setup
+ include /etc/nginx/conf.d/backend_location.conf;

---

1-28: Add performance optimizations for static assets.

Consider adding gzip compression and caching headers for static assets to improve performance. This is particularly important for a production environment.

Add these directives to the server block:

# Enable gzip compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_comp_level 6;
gzip_min_length 1000;

# Cache static assets
location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
    expires 7d;
    add_header Cache-Control "public, max-age=604800, immutable";
}

---

1-28: Add request size limit for security.

Consider adding a client_max_body_size directive to limit upload sizes and prevent potential DoS attacks through large file uploads.

Add this to the server block:

# Limit request size
client_max_body_size 10M;

Adjust the size limit according to your application's requirements.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b0e8abe and 235d731.

📒 Files selected for processing (1)

• nginx.conf (1 hunks)

🔇 Additional comments (3)

nginx.conf (3)

5-7: The frontend configuration looks good.

Explicitly setting the root directory and index file improves clarity. This is a good practice for maintainability.

---

9-11: The frontend location block is well structured.

The simplified location block with try_files is the standard approach for serving single-page applications, allowing the client-side routing to handle paths.

---

20-22: Good addition of proxy headers for proper request forwarding.

The added headers X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto are essential for correctly identifying client information when using a reverse proxy. This ensures the backend application can correctly identify client IPs and protocol information.

[coderabbitai]

🛠️ Refactor suggestion

Consider adding HTTPS configuration for production.

The current configuration only listens on port 80 (HTTP). For production use, especially with user authentication, it's strongly recommended to add HTTPS support with proper SSL certificate configuration.

You could add an additional server block like this:

server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name yourdomain.com www.yourdomain.com;
    
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    
    # Rest of your configuration...
    root /var/www/maxun;
    index index.html;
    
    # Remaining location blocks...
}

For easier SSL management, consider using Certbot/Let's Encrypt.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify the existence of the error page.

The configuration references /50x.html for error handling, but it's not clear if this file exists in the specified root directory (/var/www/maxun). Ensure this file exists or create it with appropriate content.

---

🏁 Script executed:

#!/bin/bash
# Check if the 50x.html file exists in common locations

# Look for 50x.html in the specified root directory
echo "Checking if 50x.html exists in project files..."
fd "50x.html" --type f

Length of output: 127

---

Add the missing /50x.html error page

The error_page 502 503 504 /50x.html; directive refers to /50x.html, but no such file was found in the repository. Please add a 50x.html file under your configured document root (/var/www/maxun) with appropriate content (or update the path to point to an existing error page).

• nginx.conf (around lines 24–27): error_page 502 503 504 /50x.html;
• Missing file: 50x.html in /var/www/maxun/50x.html

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify that the regex location pattern captures all required API endpoints.

The regex pattern ^/(auth|storage|record|workflow|robot|proxy|api-docs|api)(/|$) consolidates multiple API endpoints into a single location block, which is good for maintainability. However, ensure it captures all the backend endpoints your application requires.

---

🏁 Script executed:

#!/bin/bash
# Verify if there might be other API endpoints in the codebase that should be included in the nginx regex

# Look for API route definitions in the codebase
echo "Searching for potential API routes defined in the codebase..."
rg -g "*.{js,ts,jsx,tsx}" "router\.(get|post|put|delete|patch)\s*\(\s*['\"]\/[^/]+" --json | jq -r ".data.lines.text" | sort | uniq

Length of output: 434

---

🏁 Script executed:

#!/bin/bash
# Corrected search for API route prefixes in JS/TS files using PCRE
echo "Searching for API route prefixes defined in the codebase..."
rg -P -g '*.{js,ts,jsx,tsx}' "router\.(?:get|post|put|delete|patch)\(\s*['\"]\/([^\/]+)" --only-matching --replace '$1' | sort -u

Length of output: 1975

---

Update nginx location regex to include missing API prefixes

The current pattern only matches /robot (singular) and doesn’t cover the /robots and /integration routes found in the codebase. Please update the location block on line 14 of nginx.conf to include these:

• /robots for the routes in server/src/api/record.ts
• /integration for the routes in server/src/routes/integration.ts

Suggested diff:

- location  ^/(auth|storage|record|workflow|robot|proxy|api-docs|api)(/|$) {
+ location  ^/(auth|storage|record|workflow|robots|integration|proxy|api-docs|api)(/|$) {

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	location ^/(auth|storage|record|workflow|robot|proxy|api-docs|api)(/|$) {
	location ^/(auth|storage|record|workflow|robots|integration|proxy|api-docs|api)(/|$) {

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

nginx.conf (1)

14-15: Regex location still misses /robots & /integration endpoints (re-raised)

A previous review already pointed out that plural /robots and the /integration prefix exist in the codebase.
They are still absent, so those routes will 404.

-location  ^/(auth|storage|record|workflow|robot|proxy|api-docs|api)(/|$) {
+location  ^/(auth|storage|record|workflow|robot|robots|integration|proxy|api-docs|api)(/|$) {

🧹 Nitpick comments (2)

nginx.conf (2)

20-23: Optional: normalise headers & indentation

Minor nits:
• Mixed tabs/spaces make the file harder to diff.
• If you terminate SSL elsewhere (load balancer), also set
proxy_set_header X-Forwarded-Host $host; and X-Forwarded-Ssl on; for clearer downstream logging.

---

8-11: Optional: enable long-term caching for static assets

For SPA bundles you can dramatically cut bandwidth by adding:

location / {
    try_files $uri $uri/ /index.html;
    expires 7d;
    add_header Cache-Control "public, must-revalidate";
}

(Adjust duration to match your cache-busting strategy.)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 235d731 and e365104.

📒 Files selected for processing (1)

• nginx.conf (1 hunks)

[coderabbitai]

⚠️ Potential issue

Hard-coding Connection 'upgrade' may break normal HTTP requests

Sending Connection: upgrade on every proxied request can confuse back-ends that do not support WebSockets.
Use the recommended map-based switch instead:

# place this once in the http{} block
map $http_upgrade $connection_upgrade {
    default close;
    websocket upgrade;
}

# inside the location block
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

[coderabbitai]

⚠️ Potential issue

Add default_server or a concrete hostname to avoid name-based routing issues

With server_name _; Nginx will only serve this block when no other server_name matches.
If another vhost is added later, requests may unexpectedly be routed elsewhere.
Safest options:

-listen 80;
+listen 80 default_server;

or replace _ with your real hostname(s) so that routing is explicit.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	listen 80;
	server_name _;
	listen 80 default_server;
	server_name _;