Nurfog
2c8bfaa20e
- Updated mermaid from version 11.13.0 to 9.1.7 for compatibility. - Upgraded next from version 14.2.21 to ^14.2.35 for the latest features and fixes. - Added @types/dompurify and isomorphic-dompurify for improved sanitization. - Replaced innerHTML assignment in MermaidBlock with sanitized SVG using DOMPurify. - Updated eslint-config-next to ^16.2.4 for better linting support.
415 lines
15 KiB
Plaintext
415 lines
15 KiB
Plaintext
# Custom nginx configuration for OpenCCB Studio
|
|
# This overrides the default location block to route API requests correctly
|
|
|
|
# Security headers (server level - heredados por location blocks sin add_header propios)
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https:; media-src 'self' blob: https:; object-src 'none'; frame-ancestors 'self';" always;
|
|
|
|
# Allow large ZIP uploads (RAG bulk import can exceed 2GB).
|
|
client_max_body_size 4096m;
|
|
client_body_timeout 43200s;
|
|
|
|
# API routes that need to go to port 3001
|
|
# Prefer the explicit `/cms-api/*` prefix for frontend fetches. This avoids collisions
|
|
# with Next.js pages like `/courses` and `/admin` that share the same host.
|
|
location = /cms-api/api/assets/import-zip {
|
|
# Upload/import of large ZIPs can run for several minutes.
|
|
# Keep this route unbuffered and with very high upstream timeouts.
|
|
rewrite ^/cms-api/(.*)$ /$1 break;
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_request_buffering off;
|
|
proxy_buffering off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
proxy_connect_timeout 7200s;
|
|
proxy_send_timeout 43200s;
|
|
proxy_read_timeout 43200s;
|
|
send_timeout 43200s;
|
|
}
|
|
|
|
location /cms-api/ {
|
|
# CORS safety net at proxy level for CMS API.
|
|
set $cors_origin "";
|
|
if ($http_origin ~* "^https?://([a-z0-9-]+\\.)?norteamericano\\.(com|cl)$") {
|
|
set $cors_origin $http_origin;
|
|
}
|
|
if ($http_origin ~* "^http://localhost(:[0-9]+)?$") {
|
|
set $cors_origin $http_origin;
|
|
}
|
|
|
|
if ($request_method = OPTIONS) {
|
|
add_header Access-Control-Allow-Origin $cors_origin always;
|
|
add_header Vary "Origin, Access-Control-Request-Method, Access-Control-Request-Headers" always;
|
|
add_header Access-Control-Allow-Methods "GET,POST,PUT,DELETE,OPTIONS,PATCH,HEAD" always;
|
|
add_header Access-Control-Allow-Headers "content-type,authorization,x-requested-with,x-organization-id,range" always;
|
|
add_header Access-Control-Max-Age 86400 always;
|
|
add_header Content-Length 0 always;
|
|
add_header Content-Type "text/plain; charset=utf-8" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
return 204;
|
|
}
|
|
|
|
add_header Access-Control-Allow-Origin $cors_origin always;
|
|
add_header Vary "Origin" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
rewrite ^/cms-api/(.*)$ /$1 break;
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_request_buffering off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
proxy_connect_timeout 300s;
|
|
proxy_send_timeout 43200s;
|
|
proxy_read_timeout 43200s;
|
|
send_timeout 43200s;
|
|
}
|
|
|
|
location /lms-api/ {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
rewrite ^/lms-api/(.*)$ /$1 break;
|
|
proxy_pass http://openccb-experience:3002;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# Auth pages like GET /auth/login and GET /auth/register must be served by Next.js (3000),
|
|
# while the auth API endpoints (POST /auth/login, POST /auth/register, /auth/me, /auth/sso/*)
|
|
# must continue to go to the CMS backend (3001).
|
|
location @studio_frontend_auth {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /auth/login {
|
|
error_page 418 = @studio_frontend_auth;
|
|
if ($request_method != POST) {
|
|
return 418;
|
|
}
|
|
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /auth/register {
|
|
error_page 418 = @studio_frontend_auth;
|
|
if ($request_method != POST) {
|
|
return 418;
|
|
}
|
|
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /auth/callback {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /auth/me {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /auth/sso/ {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /auth/ {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /organization {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /organization/ {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /branding {
|
|
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
# `GET /courses` is ambiguous: the dashboard API uses it for JSON, but the Studio frontend
|
|
# also uses `/courses` as a page route and for RSC/prefetch requests.
|
|
# Route page/navigation-style requests to Next.js (3000), and keep API fetches on the CMS backend (3001).
|
|
location = /courses {
|
|
error_page 418 = @studio_frontend_auth;
|
|
if ($http_accept ~* "text/html|text/x-component") {
|
|
return 418;
|
|
}
|
|
if ($http_rsc != "") {
|
|
return 418;
|
|
}
|
|
if ($http_next_router_state_tree != "") {
|
|
return 418;
|
|
}
|
|
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /courses/ {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /courses/ {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /modules/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /lessons/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /assets/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /users/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /grading/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /question-bank {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /question-bank/ {
|
|
proxy_pass http://openccb-studio:3000/question-bank;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /question-bank/ {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /admin {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /admin/ {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location = /admin/organizations {
|
|
return 302 /admin;
|
|
}
|
|
|
|
location = /admin/organizations/ {
|
|
return 302 /admin;
|
|
}
|
|
|
|
location /admin/ {
|
|
proxy_pass http://openccb-studio:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|
|
|
|
location /api/ {
|
|
proxy_pass http://openccb-studio:3001;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
|
|
proxy_set_header Connection "";
|
|
proxy_http_version 1.1;
|
|
}
|