# Nginx config for rivet.rateright.com.au # Reverse proxy to Clawdbot gateway (webhook port) server { listen 80; listen [::]:80; server_name rivet.rateright.com.au; # Redirect HTTP to HTTPS (will be modified by certbot) location / { return 301 https://$server_name$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rivet.rateright.com.au; # SSL certificates (will be added by certbot) # ssl_certificate /etc/letsencrypt/live/rivet.rateright.com.au/fullchain.pem; # ssl_certificate_key /etc/letsencrypt/live/rivet.rateright.com.au/privkey.pem; # include /etc/letsencrypt/options-ssl-nginx.conf; # ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Logging access_log /var/log/nginx/rivet.access.log; error_log /var/log/nginx/rivet.error.log; # Proxy settings for WebSocket support location / { proxy_pass http://127.0.0.1:3334; proxy_http_version 1.1; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Standard proxy headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Timeouts for long-running connections proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 300s; # Buffering settings proxy_buffering off; proxy_cache_bypass $http_upgrade; } # Health check endpoint location /health { proxy_pass http://127.0.0.1:3334/health; access_log off; } }