diff --git a/Services/lemonade/lemonade.container b/Services/lemonade/lemonade.container index 6ea4e14..131dd50 100644 --- a/Services/lemonade/lemonade.container +++ b/Services/lemonade/lemonade.container @@ -17,6 +17,7 @@ SecurityLabelType=container_runtime_t Environment=LEMONADE_LLAMACPP=vulkan Environment=LEMONADE_HOST=0.0.0.0 Environment=LEMONADE_PORT=8000 +Environment=LEMONADE_LLAMACPP_ARGS="--no-mmap --no-warmup" Environment=LEMONADE_CTX_SIZE=131072 # HF diff --git a/Services/lemonade/lemonade.nginx b/Services/lemonade/lemonade.nginx new file mode 100644 index 0000000..0d6d3cb --- /dev/null +++ b/Services/lemonade/lemonade.nginx @@ -0,0 +1,114 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + '' close; +} + +server { + listen 80; + server_name models.badstorm.xyz; + return 301 https://$server_name$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + server_name models.badstorm.xyz; + charset utf-8; + keepalive_timeout 0; + + # SSL + ssl_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/live/ai.duckpage.net/privkey.pem; + + # Improve HTTPS performance with session resumption + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + # SSL Protocols and Ciphers + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers off; + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + ssl_ecdh_curve secp521r1:secp384r1; + + # Security Headers + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header X-Frame-Options SAMEORIGIN always; + add_header X-Content-Type-Options nosniff always; + add_header X-Xss-Protection "1; mode=block" always; + + # OCSP Stapling + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/nginx/ssl/live/ai.duckpage.net/fullchain.pem; + resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; + resolver_timeout 5s; + + client_max_body_size 512M; + client_body_buffer_size 128k; + + # Gzip + gzip on; + gzip_types text/plain text/xml text/css application/xhtml+xml application/xml image/svg+xml application/rss+xml application/atom_xml application/javascript application/x-javascript application/x-httpd-php application/x-httpd-fastphp application/x-httpd-eruby; + + # ============================== + # Proxy per LLM /api/v1 (Copilot) + # ============================== + location /api/v1 { + proxy_http_version 1.1; + + # WebSocket + SSE Support + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # ESSENZIALI per LLM (streaming) + proxy_buffering off; + proxy_request_buffering off; + proxy_cache off; + + # Timeouts alti perché Copilot mantiene le connessioni aperte + proxy_connect_timeout 3600; + proxy_send_timeout 3600; + proxy_read_timeout 3600; + send_timeout 3600; + + # Header classici + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://lemonade:8000/api/v1; + } + + # ============================== + # Proxy main UI / altri endpoint + # ============================== + location / { + proxy_http_version 1.1; + + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + + # Se anche qui hai streaming, puoi tenere questi: + proxy_buffering off; + proxy_request_buffering off; + proxy_cache off; + + proxy_connect_timeout 600; + proxy_send_timeout 600; + proxy_read_timeout 600; + send_timeout 600; + + proxy_redirect off; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + proxy_pass http://lemonade:8000; + } + + location ~ /\.ht { + deny all; + } +} \ No newline at end of file