server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name [domain]; # SSL/TLS ssl_certificate /etc/letsencrypt/live/[domain]/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/[domain]/privkey.pem; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_ecdh_curve secp521r1:secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/[domain]/fullchain.pem; resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s; # Security Headers add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options SAMEORIGIN always; add_header X-Content-Type-Options nosniff always; add_header X-Xss-Protection "1; mode=block" always; # Timeout (30 minuti) proxy_connect_timeout 1800s; proxy_send_timeout 1800s; proxy_read_timeout 1800s; send_timeout 1800s; fastcgi_read_timeout 1800s; # Buffering disabilitato per streaming proxy_buffering off; proxy_request_buffering off; proxy_buffers 8 16k; proxy_buffer_size 32k; # Dimensione massima del body (es. per upload di file) client_max_body_size 512M; # Proxy verso llama.cpp location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Authorization $http_authorization; proxy_pass http://[ip_address]:8090; } # Blocca accesso a file nascosti location ~ /\.ht { deny all; } # Logging access_log /var/log/nginx/llama_access.log; error_log /var/log/nginx/llama_error.log warn; } # Redirect HTTP → HTTPS server { listen 80; listen [::]:80; server_name models.ai.badstorm.xyz; return 301 https://$host$request_uri; }