penpot/docker/devenv/files/nginx.conf

user root;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 100;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    reset_timedout_connection on;
    client_body_timeout 20s;
    client_header_timeout 20s;

    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;
    send_timeout 300s;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip on;

    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;

    gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json image/svg+xml application/wasm;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    proxy_cache_path /tmp/cache/ levels=2:2 keys_zone=penpot:20m;
    proxy_cache_methods GET HEAD;
    proxy_cache_valid any 48h;
    proxy_cache_key "$host$request_uri";

    server {
        listen 4449 default_server;
        server_name _;

        client_max_body_size 300M;
        charset utf-8;

        proxy_http_version 1.1;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_buffer_size 16k;
        proxy_busy_buffers_size 24k; # essentially, proxy_buffer_size + 2 small buffers of 4k
        proxy_buffers 32 4k;
        resolver 127.0.0.11 ipv6=off;

        etag off;
        proxy_hide_header X-Powered-By;
        include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;

        root /home/penpot/penpot/frontend/resources/public;

        location @handle_redirect {
            set $redirect_uri "$upstream_http_location";
            set $redirect_host "$upstream_http_x_host";
            set $redirect_cache_control "$upstream_http_cache_control";
            set $real_mtype "$upstream_http_x_mtype";

            proxy_set_header Host "$redirect_host";
            proxy_hide_header etag;
            proxy_hide_header x-amz-id-2;
            proxy_hide_header x-amz-request-id;
            proxy_hide_header x-amz-meta-server-side-encryption;
            proxy_hide_header x-amz-server-side-encryption;
            proxy_pass $redirect_uri;
            proxy_ssl_server_name on;

            include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
            add_header x-internal-redirect "$redirect_uri";
            add_header x-cache-control "$redirect_cache_control";
            add_header cache-control "$redirect_cache_control";
            add_header content-type "$real_mtype";
        }

        location /assets {
            proxy_pass http://127.0.0.1:6060/assets;
            recursive_error_pages on;
            proxy_intercept_errors on;
            error_page 301 302 307 = @handle_redirect;
        }

        location /internal/assets {
            internal;
            alias /home/penpot/penpot/backend/assets;
            include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
            add_header x-internal-redirect "$upstream_http_x_accel_redirect";
        }

        # On production, this is controlled by ELB
        location /api/export {
            proxy_pass http://127.0.0.1:6061;
        }

        location /api {
            proxy_pass http://127.0.0.1:6060/api;
            proxy_http_version 1.1;
        }

        location /plugins/mcp {
            alias /home/penpot/penpot/mcp/packages/plugin/dist;
            proxy_http_version 1.1;
        }

        location /plugins {
            autoindex on;
            alias /home/penpot/penpot/plugins/dist/apps;
            proxy_http_version 1.1;
        }

        location /api/remote-relay {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_pass http://127.0.0.1:3448;
            proxy_http_version 1.1;
        }

        location /mcp/ws {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_pass http://127.0.0.1:4402;
            proxy_http_version 1.1;
        }

        location /management {
            proxy_pass http://127.0.0.1:6060/management;
            proxy_http_version 1.1;
        }

        location /mcp/stream {
            proxy_pass http://127.0.0.1:4401/mcp;
            proxy_http_version 1.1;
        }

        location /mcp/sse {
            proxy_pass http://127.0.0.1:4401/sse;
            proxy_http_version 1.1;
        }

        location /admin {
            proxy_pass http://127.0.0.1:6063/admin;
        }

        location /webhooks {
            proxy_pass http://127.0.0.1:6060/webhooks;
        }

        location /dbg {
            proxy_pass http://127.0.0.1:6060/dbg;
        }

        location /telemetry {
            proxy_pass http://127.0.0.1:6070/inbox;
        }

        location /payments {
            proxy_pass http://127.0.0.1:5000;
        }

        location /admin-console {
           proxy_pass http://127.0.0.1:3000;
           proxy_http_version 1.1;

           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /wasm-playground {
            alias /home/penpot/penpot/frontend/resources/public/wasm-playground/;
            include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
            add_header Cache-Control "no-cache, max-age=0";
            autoindex on;
        }

        location /ws/notifications {
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_pass http://127.0.0.1:6060/ws/notifications;
        }

        location /storybook {
            alias /home/penpot/penpot/frontend/storybook-static/;
            autoindex on;
        }

        location / {
            location ~ ^/github/penpot-files/(.+)$ {
                rewrite ^/github/penpot-files/(.+) /penpot/penpot-files/refs/heads/main/$1 break;
                proxy_pass https://raw.githubusercontent.com;

                proxy_hide_header Access-Control-Allow-Origin;
                proxy_hide_header Cookies;
                proxy_set_header User-Agent "curl/8.5.0";
                proxy_set_header Host "raw.githubusercontent.com";
                proxy_set_header Accept "*/*";
                include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
                add_header Access-Control-Allow-Origin $http_origin;
                proxy_buffering off;
            }

            location ~ ^/internal/gfonts/font/(?<font_file>.+) {
                proxy_pass https://fonts.gstatic.com/s/$font_file;

                proxy_hide_header Access-Control-Allow-Origin;
                proxy_hide_header Cross-Origin-Resource-Policy;
                proxy_hide_header Link;
                proxy_hide_header Alt-Svc;
                proxy_hide_header Cache-Control;
                proxy_hide_header Expires;
                proxy_hide_header Cross-Origin-Opener-Policy;
                proxy_hide_header Report-To;

                proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

                proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
                proxy_set_header Host "fonts.gstatic.com";
                proxy_set_header Accept "*/*";

                proxy_cache penpot;

                include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
                add_header Access-Control-Allow-Origin $http_origin;
                add_header Cache-Control max-age=86400;
                add_header X-Cache-Status $upstream_cache_status;
            }

            location ~ ^/internal/gfonts/css {
                proxy_pass https://fonts.googleapis.com/css?$args;
                proxy_hide_header Access-Control-Allow-Origin;
                proxy_hide_header Cross-Origin-Resource-Policy;
                proxy_hide_header Link;
                proxy_hide_header Alt-Svc;
                proxy_hide_header Cache-Control;
                proxy_hide_header Expires;

                proxy_ignore_headers Set-Cookie Vary Cache-Control Expires;

                proxy_set_header User-Agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36";
                proxy_set_header Host "fonts.googleapis.com";
                proxy_set_header Accept "*/*";

                proxy_cache penpot;

                include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
                add_header Access-Control-Allow-Origin $http_origin;
                add_header Cache-Control max-age=86400;
                add_header X-Cache-Status $upstream_cache_status;
            }

            location ~* \.(jpg|png|svg|ttf|woff|woff2|gif)$ {
                include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
                add_header Cache-Control "public, max-age=604800" always; # 7 days
            }

            location ~* \.(js|css|wasm)$ {
                include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
                add_header Cache-Control "no-store" always;
            }

            location ~ ^/[^/]+/(.*)$ {
                return 301 " /404";
            }

            include /home/penpot/penpot/docker/devenv/files/nginx-security-headers.conf;
            add_header Cache-Control "no-store" always;
            try_files $uri /index.html$is_args$args /index.html =404;
        }
    }
}