diff --git a/features/conversation-assistant/nginx/conversations.nasty.sh.conf b/features/conversation-assistant/nginx/conversations.nasty.sh.conf index 58960b20b..308c921b0 100644 --- a/features/conversation-assistant/nginx/conversations.nasty.sh.conf +++ b/features/conversation-assistant/nginx/conversations.nasty.sh.conf @@ -16,7 +16,7 @@ limit_req_zone $binary_remote_addr zone=conversations_chat:10m rate=10r/m; # Upstream definitions upstream conversation_server { - server 127.0.0.1:3100 max_fails=3 fail_timeout=30s; + server 127.0.0.1:3105 max_fails=3 fail_timeout=30s; } upstream conversation_frontend { @@ -72,10 +72,11 @@ server { add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; - # VPN-Only Access Control - # VPN-Only Access (Wireguard) + # Access Control + # VPN (Wireguard) + trusted devices allow 10.8.0.0/24; allow 10.9.0.0/24; + allow 67.188.49.157; # Plum MacBook (Natalie's home) deny all; # Logging @@ -98,8 +99,29 @@ server { } # ============================================================================= - # API Routes (with rate limiting) + # API Routes # ============================================================================= + + # Sync endpoints - no rate limiting for bulk data transfer + location /api/sync { + # No rate limiting for sync - VPN-only access provides security + client_max_body_size 0; + + proxy_pass http://conversation_server; + proxy_http_version 1.1; + + # Headers + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + # Longer timeouts for large syncs + proxy_connect_timeout 60s; + proxy_send_timeout 300s; + proxy_read_timeout 300s; + } + location /api/chat { # Stricter rate limiting for chat endpoints limit_req zone=conversations_chat burst=5 nodelay;