# Public (WAN) vhost for newsfeed, fronted by the oolon edge proxy. # # Provision the Let's Encrypt cert for rob.fyi (architecture external-tls.md — certbot, # Cloudflare DNS-01, ECDSA) BEFORE enabling this vhost: `nginx -t` fails on a missing # ssl_certificate, so only symlink this into sites-enabled once the cert exists # (reverse-proxies.md §4). # # Mesh clients cannot use this name (the public-name hairpin gotcha, reverse-proxies.md # §2) — they use newsfeed.internal instead. Both vhosts share the /var/www/newsfeed # webroot and the newsfeed_api upstream defined in newsfeed.internal.conf. server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name rob.fyi; ssl_certificate /etc/letsencrypt/live/rob.fyi/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rob.fyi/privkey.pem; # Classical curves for WAN clients that don't speak post-quantum yet (generic.md §11). ssl_protocols TLSv1.2 TLSv1.3; root /var/www/newsfeed; index index.html; location /v1/ { proxy_pass http://newsfeed_api; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location = /health { proxy_pass http://newsfeed_api; } location / { try_files $uri $uri/ /index.html; } location /assets/ { expires 1y; add_header Cache-Control "public, immutable"; try_files $uri =404; } }