ai-video-fullstack/deploy/nginx/ai-video.dev.conf

# AI Video Assistant —— 本地/局域网开发用 nginx 反代(统一 TLS 入口)
#
# 作用:浏览器只跟 nginx(:443)打交道,一张 mkcert 证书统管;
#   前端(:3000)和后端(:8000)在后面照常跑明文,不用各自配证书。
#   前端页面与信令 ws 同源(同 host 同端口),没有混合内容/跨源问题。
#
# 用法:
#   1. ./deploy/setup-certs.sh           # mkcert 生成证书到 deploy/certs/
#   2. 启动前后端(docker compose → ui:3030;本地裸跑 → ui:3000;后端均 :8000)
#   3. nginx -c $(pwd)/deploy/nginx/ai-video.dev.conf -g 'daemon off;'
#   4. 浏览器访问 https://<本机IP 或 ai-video.local>
#
# 注意:证书路径下面写的是绝对路径,换机器/换目录时改 __CERT_DIR__ 两行即可。

worker_processes 1;
events { worker_connections 256; }

http {
    # mac/homebrew 的 nginx 默认 mime.types 路径;Linux 一般是 /etc/nginx/mime.types
    include       mime.types;
    default_type  application/octet-stream;
    sendfile      on;

    # 前端上游:优先本地裸跑的 :3000,连不上自动落到 docker ui 发布的 :3030
    upstream ui_upstream {
        server 127.0.0.1:3000;
        server 127.0.0.1:3030 backup;
    }

    # 80 → 全部跳 443
    server {
        listen 80;
        server_name _;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        server_name _;                     # catch-all:任何 host/IP 都匹配,LAN 调试省心

        # __CERT_DIR__ —— mkcert 生成的证书(setup-certs.sh 会放到这里)
        ssl_certificate     /Users/wangx/Code/AI-VideoAssistant-Project/ai-video/deploy/certs/ai-video.pem;
        ssl_certificate_key /Users/wangx/Code/AI-VideoAssistant-Project/ai-video/deploy/certs/ai-video-key.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;

        # ---- 语音信令 / 裸音频流 ws:/ws/voice、/ws/stream ----
        # 关键:Upgrade/Connection 头让 ws 握手成功;长超时防止长连接被掐;关缓冲实时透传。
        location /ws/ {
            proxy_pass http://127.0.0.1:8000;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;

            proxy_read_timeout 3600s;       # 语音是长连接,默认 60s 会断
            proxy_send_timeout 3600s;
            proxy_buffering off;            # 流式音频不能攒着
        }

        # ---- 后端 HTTP 接口:/api/*(assistants/credentials/knowledge-bases)+ /health ----
        location /api/ {
            proxy_pass http://127.0.0.1:8000;
            proxy_http_version 1.1;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
            client_max_body_size 50M;       # 知识库文件上传留余量
        }

        location /health {
            proxy_pass http://127.0.0.1:8000;
            proxy_set_header Host $host;
        }

        # ---- 前端 Next dev(其余全部)----
        # Upgrade 头是给 Next 热更新(HMR)的 ws 用的。
        location / {
            proxy_pass http://ui_upstream;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto https;
        }
    }
}