TTMT.ManageWebGUI/nginx/nginx.conf

# upstream backend {
#     server 100.66.170.15:8080;
#     server 127.0.0.1:8080;
#     server 172.18.10.8:8080;
# }

server {
    listen 80;
    server_name comp.soict.io;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name comp.soict.io;

    ssl_certificate     /etc/letsencrypt/live/comp.soict.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/comp.soict.io/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # MeshCentral proxied flow can set sizable auth cookies.
    client_header_buffer_size 16k;
    large_client_header_buffers 8 32k;

    # Required when proxy_pass uses variables.
    # In Docker, 127.0.0.11 is the embedded DNS resolver.
    resolver 127.0.0.11 valid=30s ipv6=off;
    resolver_timeout 5s;

    set $backend_server 172.18.10.8:8080;
    # Internal MeshCentral hop to avoid upstream TLS handshake instability.
    set $meshserver meshcentral:8082;
    # Public host MeshCentral expects in Host header.
    set $meshhost soict-overleaf.tailc51e09.ts.net;

    root /usr/share/nginx/html;
    index index.html index.htm;

    # MeshCentral auth entrypoint. If iframe/browser lands on /login due to
    # redirect, keep it on MeshCentral instead of frontend routing.
    location = /login {
        proxy_pass http://$meshserver;

        proxy_http_version 1.1;
        proxy_set_header Host $meshhost;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;

        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_buffering off;
    }

    # MeshCentral may redirect to "/" with remote params after login.
    # Detect those requests and proxy them to MeshCentral instead of SPA.
    location = / {
        if ($arg_node != "") {
            rewrite ^ /__mesh_root_proxy__ last;
        }

        if ($arg_viewmode != "") {
            rewrite ^ /__mesh_root_proxy__ last;
        }

        if ($arg_gotonode != "") {
            rewrite ^ /__mesh_root_proxy__ last;
        }

        try_files $uri $uri/ /index.html;
    }

    location = /__mesh_root_proxy__ {
        proxy_pass http://$meshserver;

        proxy_http_version 1.1;
        proxy_set_header Host $meshhost;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;

        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_buffering off;
    }

    location / {
        try_files $uri $uri/ /index.html;
    }

    location ~* \.(?:css|js|jpg|jpeg|gif|png|ico|svg|webp)$ {
        expires 1y;
        add_header Cache-Control "public";
        access_log off;
    }

    location /api/ {
        proxy_pass http://$backend_server;

        client_max_body_size 900M;
        proxy_request_buffering off;
        proxy_read_timeout 300s;
        proxy_connect_timeout 300s;
        proxy_send_timeout 300s;

        if ($request_method = OPTIONS) {
            return 204;
        }
    }

    location /api/Sse/events {
        proxy_pass http://$backend_server/api/Sse/events;
        proxy_http_version 1.1;

        proxy_set_header Connection '';
        proxy_buffering off;
        proxy_cache off;
        proxy_read_timeout 1h;
    }

    # MeshCentral client builds WebSocket URL from current location,
    # e.g. wss://comp.soict.io/control.ashx.
    location ~ ^/(control|meshrelay|commander|mesh)\.ashx$ {
        proxy_pass http://$meshserver;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header Host $meshhost;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;

        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_buffering off;
    }

    location = /api/meshcentral/proxy {
        return 301 /api/meshcentral/proxy/;
    }

    location ^~ /api/meshcentral/proxy/ {
        # Forward directly to MeshCentral, but strip proxy prefix first.
        # Without this, upstream sees /api/meshcentral/proxy/* and can redirect-loop.
        rewrite ^/api/meshcentral/proxy/(.*)$ /$1 break;
        proxy_pass http://$meshserver;
        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";

        proxy_set_header Host $meshhost;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;

        # Keep browser navigation under /api/meshcentral/proxy/*.
        proxy_redirect ~^https?://[^/]+(/.*)$ /api/meshcentral/proxy$1;
        proxy_redirect ~^(/.*)$ /api/meshcentral/proxy$1;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }

    # FE production currently builds mesh proxy path as /meshapi/api/meshcentral/proxy/...
    location = /meshapi/api/meshcentral/proxy {
        return 301 /meshapi/api/meshcentral/proxy/;
    }

    location ^~ /meshapi/api/meshcentral/proxy/ {
        # Legacy frontend path -> backend MeshCentralProxyController
        rewrite ^/meshapi/api/meshcentral/proxy/(.*)$ /$1 break;
        proxy_pass http://$backend_server;
        proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
    }
}
Comment redundant load banlancing and CORS headers 2026-03-25 23:18:50 +07:00			`# upstream backend {`
			`# server 100.66.170.15:8080;`
			`# server 127.0.0.1:8080;`
			`# server 172.18.10.8:8080;`
			`# }`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00
Add docker file and nginx config 2025-08-12 15:22:56 +07:00			`server {`
			`listen 80;`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`server_name comp.soict.io;`
update nginx conf for better redirection 2026-04-04 17:05:41 +07:00
			`location /.well-known/acme-challenge/ {`
			`root /var/www/certbot;`
			`}`

			`location / {`
			`return 301 https://$host$request_uri;`
			`}`
update nginx config for https compability 2026-04-03 10:58:17 +07:00			`}`

Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`server {`
update nginx config for https compability 2026-04-03 10:58:17 +07:00			`listen 443 ssl;`
			`server_name comp.soict.io;`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00
Update cert to authorized cert for better https 2026-04-04 19:19:17 +07:00			`ssl_certificate /etc/letsencrypt/live/comp.soict.io/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/comp.soict.io/privkey.pem;`
			`ssl_protocols TLSv1.2 TLSv1.3;`
			`ssl_ciphers HIGH:!aNULL:!MD5;`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00
			`# MeshCentral proxied flow can set sizable auth cookies.`
			`client_header_buffer_size 16k;`
			`large_client_header_buffers 8 32k;`

			`# Required when proxy_pass uses variables.`
			`# In Docker, 127.0.0.11 is the embedded DNS resolver.`
			`resolver 127.0.0.11 valid=30s ipv6=off;`
			`resolver_timeout 5s;`

Comment redundant load banlancing and CORS headers 2026-03-25 23:18:50 +07:00			`set $backend_server 172.18.10.8:8080;`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`# Internal MeshCentral hop to avoid upstream TLS handshake instability.`
			`set $meshserver meshcentral:8082;`
			`# Public host MeshCentral expects in Host header.`
			`set $meshhost soict-overleaf.tailc51e09.ts.net;`

Add docker file and nginx config 2025-08-12 15:22:56 +07:00			`root /usr/share/nginx/html;`
			`index index.html index.htm;`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00
			`# MeshCentral auth entrypoint. If iframe/browser lands on /login due to`
			`# redirect, keep it on MeshCentral instead of frontend routing.`
			`location = /login {`
			`proxy_pass http://$meshserver;`

			`proxy_http_version 1.1;`
			`proxy_set_header Host $meshhost;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Host $host;`

			`proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";`
			`proxy_read_timeout 3600s;`
			`proxy_send_timeout 3600s;`
			`proxy_buffering off;`
			`}`

			`# MeshCentral may redirect to "/" with remote params after login.`
			`# Detect those requests and proxy them to MeshCentral instead of SPA.`
			`location = / {`
			`if ($arg_node != "") {`
			`rewrite ^ /__mesh_root_proxy__ last;`
			`}`

			`if ($arg_viewmode != "") {`
			`rewrite ^ /__mesh_root_proxy__ last;`
			`}`

			`if ($arg_gotonode != "") {`
			`rewrite ^ /__mesh_root_proxy__ last;`
			`}`

			`try_files $uri $uri/ /index.html;`
			`}`

			`location = /__mesh_root_proxy__ {`
			`proxy_pass http://$meshserver;`

			`proxy_http_version 1.1;`
			`proxy_set_header Host $meshhost;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Host $host;`

			`proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";`
			`proxy_read_timeout 3600s;`
			`proxy_send_timeout 3600s;`
			`proxy_buffering off;`
			`}`

Add docker file and nginx config 2025-08-12 15:22:56 +07:00			`location / {`
			`try_files $uri $uri/ /index.html;`
			`}`

			`location ~* \.(?:css\|js\|jpg\|jpeg\|gif\|png\|ico\|svg\|webp)$ {`
			`expires 1y;`
			`add_header Cache-Control "public";`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`access_log off;`
Add docker file and nginx config 2025-08-12 15:22:56 +07:00			`}`
config nginx 2025-08-15 15:40:45 +07:00
			`location /api/ {`
Comment redundant load banlancing and CORS headers 2026-03-25 23:18:50 +07:00			`proxy_pass http://$backend_server;`
config nginx 2025-08-15 15:40:45 +07:00
Increase client_max_body_size internal nginx 2026-05-05 19:11:12 +07:00			`client_max_body_size 900M;`
config in nginx and app page for real time refetch and upload from website 2025-08-27 22:36:27 +07:00			`proxy_request_buffering off;`
			`proxy_read_timeout 300s;`
			`proxy_connect_timeout 300s;`
			`proxy_send_timeout 300s;`

config nginx 2025-08-15 15:40:45 +07:00			`if ($request_method = OPTIONS) {`
			`return 204;`
			`}`
			`}`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00
config nginx to fix sse not found bug 2025-08-25 09:40:11 +07:00			`location /api/Sse/events {`
Comment redundant load banlancing and CORS headers 2026-03-25 23:18:50 +07:00			`proxy_pass http://$backend_server/api/Sse/events;`
config nginx to fix sse not found bug 2025-08-25 09:40:11 +07:00			`proxy_http_version 1.1;`

			`proxy_set_header Connection '';`
			`proxy_buffering off;`
			`proxy_cache off;`
			`proxy_read_timeout 1h;`
			`}`
ayeyeyeyeye 2026-03-29 00:21:31 +07:00
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`# MeshCentral client builds WebSocket URL from current location,`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`# e.g. wss://comp.soict.io/control.ashx.`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`location ~ ^/(control\|meshrelay\|commander\|mesh)\.ashx$ {`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`proxy_pass http://$meshserver;`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00
			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`proxy_set_header Host $meshhost;`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header X-Forwarded-Host $host;`

			`proxy_read_timeout 3600s;`
			`proxy_send_timeout 3600s;`
			`proxy_buffering off;`
			`}`

			`location = /api/meshcentral/proxy {`
			`return 301 /api/meshcentral/proxy/;`
			`}`

			`location ^~ /api/meshcentral/proxy/ {`
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`# Forward directly to MeshCentral, but strip proxy prefix first.`
			`# Without this, upstream sees /api/meshcentral/proxy/* and can redirect-loop.`
			`rewrite ^/api/meshcentral/proxy/(.*)$ /$1 break;`
			`proxy_pass http://$meshserver;`
ayeyeyeyeye 2026-03-29 00:21:31 +07:00			`proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";`
change mesh central proxy 2026-04-09 14:48:51 +07:00
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`proxy_set_header Host $meshhost;`
change mesh central proxy 2026-04-09 14:48:51 +07:00			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`proxy_set_header X-Forwarded-Host $host;`
change mesh central proxy 2026-04-09 14:48:51 +07:00
Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`# Keep browser navigation under /api/meshcentral/proxy/*.`
			`proxy_redirect ~^https?://[^/]+(/.*)$ /api/meshcentral/proxy$1;`
			`proxy_redirect ~^(/.*)$ /api/meshcentral/proxy$1;`

change mesh central proxy 2026-04-09 14:48:51 +07:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
			`proxy_buffering off;`
			`proxy_read_timeout 3600s;`
			`proxy_send_timeout 3600s;`
			`}`

			`# FE production currently builds mesh proxy path as /meshapi/api/meshcentral/proxy/...`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`location = /meshapi/api/meshcentral/proxy {`
			`return 301 /meshapi/api/meshcentral/proxy/;`
			`}`

Change nginx setting for handling mesh funnel domain 2026-04-16 16:17:34 +07:00			`location ^~ /meshapi/api/meshcentral/proxy/ {`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`# Legacy frontend path -> backend MeshCentralProxyController`
			`rewrite ^/meshapi/api/meshcentral/proxy/(.*)$ /$1 break;`
			`proxy_pass http://$backend_server;`
change mesh central proxy 2026-04-09 14:48:51 +07:00			`proxy_cookie_path / "/; HTTPOnly; Secure; SameSite=None";`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
fix remote redirect to using server IP 2026-04-10 18:52:39 +07:00			`proxy_set_header X-Forwarded-Host $host;`
change mesh central proxy 2026-04-09 14:48:51 +07:00
ayeyeyeyeye 2026-03-29 00:21:31 +07:00			`proxy_http_version 1.1;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`
change mesh central proxy 2026-04-09 14:48:51 +07:00			`proxy_buffering off;`
			`proxy_read_timeout 3600s;`
			`proxy_send_timeout 3600s;`
ayeyeyeyeye 2026-03-29 00:21:31 +07:00			`}`
update nginx config for https compability 2026-04-03 10:58:17 +07:00			`}`