From a8ca5fee8a24d3dd3b89108d0285bb8d2019d2e2 Mon Sep 17 00:00:00 2001
From: Marco Olimpi <hello@badstorm.xyz>
Date: Sat, 14 Feb 2026 09:46:11 +0100
Subject: [PATCH] Add Services/llamacpp.nginx

---
 Services/llamacpp.nginx | 73 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)
 create mode 100644 Services/llamacpp.nginx

diff --git a/Services/llamacpp.nginx b/Services/llamacpp.nginx
new file mode 100644
index 0000000..5ea22b1
--- /dev/null
+++ b/Services/llamacpp.nginx
@@ -0,0 +1,73 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name [domain];
+
+    # SSL/TLS
+    ssl_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem;
+    ssl_protocols TLSv1.3;
+    ssl_prefer_server_ciphers off;
+    ssl_dhparam /etc/ssl/certs/dhparam.pem;
+    ssl_ecdh_curve secp521r1:secp384r1;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/[domain]/fullchain.pem;
+    resolver 1.1.1.1 1.0.0.1 valid=300s;
+    resolver_timeout 5s;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-Xss-Protection "1; mode=block" always;
+
+    # Timeout (30 minuti)
+    proxy_connect_timeout 1800s;
+    proxy_send_timeout 1800s;
+    proxy_read_timeout 1800s;
+    send_timeout 1800s;
+    fastcgi_read_timeout 1800s;
+
+    # Buffering disabilitato per streaming
+    proxy_buffering off;
+    proxy_request_buffering off;
+    proxy_buffers 8 16k;
+    proxy_buffer_size 32k;
+
+    # Dimensione massima del body (es. per upload di file)
+    client_max_body_size 512M;
+
+    # Proxy verso llama.cpp
+    location / {
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "Upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Authorization $http_authorization;
+
+        proxy_pass http://[ip_address]:8090;
+    }
+
+    # Blocca accesso a file nascosti
+    location ~ /\.ht {
+        deny all;
+    }
+
+    # Logging
+    access_log /var/log/nginx/llama_access.log;
+    error_log /var/log/nginx/llama_error.log warn;
+}
+
+# Redirect HTTP → HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name models.ai.badstorm.xyz;
+    return 301 https://$host$request_uri;
+}