Services/llamacpp.nginx

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name [domain];

    # SSL/TLS
    ssl_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;
    resolver 1.1.1.1 1.0.0.1 valid=300s;
    resolver_timeout 5s;

    # Security Headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-Xss-Protection "1; mode=block" always;

    # Timeout (30 minuti)
    proxy_connect_timeout 1800s;
    proxy_send_timeout 1800s;
    proxy_read_timeout 1800s;
    send_timeout 1800s;
    fastcgi_read_timeout 1800s;

    # Buffering disabilitato per streaming
    proxy_buffering off;
    proxy_request_buffering off;
    proxy_buffers 8 16k;
    proxy_buffer_size 32k;

    # Dimensione massima del body (es. per upload di file)
    client_max_body_size 512M;

    # Proxy verso llama.cpp
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Authorization $http_authorization;

        proxy_pass http://[ip_address]:8090;
    }

    # Blocca accesso a file nascosti
    location ~ /\.ht {
        deny all;
    }

    # Logging
    access_log /var/log/nginx/llama_access.log;
    error_log /var/log/nginx/llama_error.log warn;
}

# Redirect HTTP → HTTPS
server {
    listen 80;
    listen [::]:80;
    server_name models.ai.badstorm.xyz;
    return 301 https://$host$request_uri;
}
Add Services/llamacpp.nginx 2026-02-14 09:46:11 +01:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`server_name [domain];`

			`# SSL/TLS`
			`ssl_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`
			`ssl_dhparam /etc/ssl/certs/dhparam.pem;`
			`ssl_ecdh_curve secp521r1:secp384r1;`
			`ssl_session_cache shared:SSL:10m;`
			`ssl_session_timeout 10m;`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`ssl_trusted_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;`
			`resolver 1.1.1.1 1.0.0.1 valid=300s;`
			`resolver_timeout 5s;`

			`# Security Headers`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;`
			`add_header X-Frame-Options SAMEORIGIN always;`
			`add_header X-Content-Type-Options nosniff always;`
			`add_header X-Xss-Protection "1; mode=block" always;`

			`# Timeout (30 minuti)`
			`proxy_connect_timeout 1800s;`
			`proxy_send_timeout 1800s;`
			`proxy_read_timeout 1800s;`
			`send_timeout 1800s;`
			`fastcgi_read_timeout 1800s;`

			`# Buffering disabilitato per streaming`
			`proxy_buffering off;`
			`proxy_request_buffering off;`
			`proxy_buffers 8 16k;`
			`proxy_buffer_size 32k;`

			`# Dimensione massima del body (es. per upload di file)`
			`client_max_body_size 512M;`

			`# Proxy verso llama.cpp`
			`location / {`
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "Upgrade";`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Authorization $http_authorization;`

			`proxy_pass http://[ip_address]:8090;`
			`}`

			`# Blocca accesso a file nascosti`
			`location ~ /\.ht {`
			`deny all;`
			`}`

			`# Logging`
			`access_log /var/log/nginx/llama_access.log;`
			`error_log /var/log/nginx/llama_error.log warn;`
			`}`

			`# Redirect HTTP → HTTPS`
			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name models.ai.badstorm.xyz;`
			`return 301 https://$host$request_uri;`
			`}`