restreamer-ui-v2/nginx-examples/djmaster.conf.template

# djmaster Nginx template
# Replace variables (or use `envsubst`) then install as an Nginx site.

server {
    listen 80;
    server_name ${UI_HOST};

    # ACME challenge served from this location (used by certbot)
    location /.well-known/acme-challenge/ {
        root /var/www/letsencrypt;
    }

    # Redirect all other traffic to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl http2;
    server_name ${UI_HOST};

    ssl_certificate ${LETSENCRYPT_PATH}/live/${UI_HOST}/fullchain.pem;
    ssl_certificate_key ${LETSENCRYPT_PATH}/live/${UI_HOST}/privkey.pem;
    include ${LETSENCRYPT_PATH}/options-ssl-nginx.conf;
    ssl_dhparam ${LETSENCRYPT_PATH}/ssl-dhparams.pem;

    # Serve the frontend (CRA dev/build) proxied to local UI server
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 120s;
    }

    # Microserver for OAuth and config persistence
    location /fb-server/ {
        proxy_pass http://127.0.0.1:3002/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 120s;
    }

    # YT-DLP stream proxy (avoid CORS in browser)
    location /yt-stream/ {
        proxy_pass http://${YTDLP_HOST}/;
        proxy_set_header Host ${YTDLP_HOST};
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 300s;
    }

    # YT-DLP titles/metadata proxy
    location /yt-titles/ {
        proxy_pass http://${YTDLP_TITLES_HOST}/;
        proxy_set_header Host ${YTDLP_TITLES_HOST};
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 120s;
    }

    # LiveKit ingress (if used)
    location /livekit-ingress/ {
        proxy_pass http://${LIVEKIT_INGRESS_HOST}/;
        proxy_set_header Host ${LIVEKIT_INGRESS_HOST};
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_buffering off;
        proxy_read_timeout 60s;
    }

    # Tuning
    client_max_body_size 200M;
    keepalive_timeout 65;

    # Basic security headers
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header Referrer-Policy "no-referrer-when-downgrade";
    add_header X-XSS-Protection "1; mode=block";
}