EchoHub/examples/nginx.conf at master · HueByte/EchoHub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# EchoHub nginx configuration example
#
# This config handles:
# - HTTPS reverse proxy for the HTTP API + SignalR WebSocket
# - TLS termination for IRC on port 6697
# - HTTP → HTTPS redirect
#
# Prerequisites:
# - EchoHub Server running on 127.0.0.1:5000
# - IRC gateway enabled on port 6667 (Irc:Enabled = true, Irc:TlsEnabled = false)
# - TLS certificate (e.g. from Let's Encrypt)
#
# Usage:
# 1. Copy this file to /etc/nginx/sites-available/echohub
# 2. Replace "echohub.example.com" with your domain
# 3. Update certificate paths
# 4. ln -s /etc/nginx/sites-available/echohub /etc/nginx/sites-enabled/
# 5. nginx -t && systemctl reload nginx
#
# Note: The "stream" block for IRC TLS must go in the main nginx.conf
# (outside the http block), not in sites-available. See the bottom of
# this file for the stream config.

# --- Place this in /etc/nginx/sites-available/echohub ---

# HTTP → HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name echohub.example.com;

    return 301 https://$host$request_uri;
}

# HTTPS — API + SignalR WebSocket
server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name echohub.example.com;

    ssl_certificate     /etc/letsencrypt/live/echohub.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/echohub.example.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # File upload limit (match EchoHub's MaxFileSizeBytes)
    client_max_body_size 10m;

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_http_version 1.1;

        # Standard proxy headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Required for SignalR WebSocket upgrade
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;

        # Long timeout for WebSocket connections
        proxy_read_timeout 86400s;
        proxy_send_timeout 86400s;

        # Disable buffering for real-time
        proxy_buffering off;
    }
}

# --- Place this in /etc/nginx/nginx.conf (outside the http block) ---

# IRC TLS termination (port 6697 → plain IRC on 6667)
# The stream module handles raw TCP, not HTTP.
#
# stream {
#     upstream irc_backend {
#         server 127.0.0.1:6667;
#     }
#
#     server {
#         listen 6697 ssl;
#         listen [::]:6697 ssl;
#         proxy_pass irc_backend;
#
#         ssl_certificate     /etc/letsencrypt/live/echohub.example.com/fullchain.pem;
#         ssl_certificate_key /etc/letsencrypt/live/echohub.example.com/privkey.pem;
#         ssl_protocols       TLSv1.2 TLSv1.3;
#
#         # Timeout for idle IRC connections (24 hours)
#         proxy_timeout 86400s;
#     }
# }