server { listen 3448 ssl; server_name grajmedia.duckdns.org; ssl_certificate /etc/letsencrypt/live/grajmedia.duckdns.org/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/grajmedia.duckdns.org/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; # ShopProQuote static files root /mnt/seagate8tb/Websites/ShopProQuote; index index.html; # PocketBase API reverse proxy (same origin = no CORS needed) location /api/ { proxy_pass http://127.0.0.1:8091; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; } # PocketBase admin UI location /_/ { proxy_pass http://127.0.0.1:8091; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # SPA fallback: all other paths → index.html location / { try_files $uri $uri/ /index.html; } # Static file caching location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ { expires 1h; add_header Cache-Control "public, must-revalidate"; } client_max_body_size 50m; # DeepSeek AI proxy — token validation + key injection include /etc/nginx/snippets/spq-deepseek.conf; }