spaces/nginx.conf

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    
    upstream api {
        server localhost:3000;
    }

    server {
        listen 80;
        server_name localhost;
        
        resolver 127.0.0.11 valid=30s;

        location /api {
            proxy_pass http://api;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        # Port forwarding - matches /8080/workspace, /3001/file.txt, etc.
        # Routes to localhost ports (e.g., /44831/workspace -> localhost:44831/44831/workspace)
        location ~ ^/(\d+)(/.*)?$ {
            set $port $1;
            set $fullpath $uri;
            set $target 127.0.0.1:$port;
            
            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }
            
            proxy_pass http://$target$fullpath$is_args$args;
            proxy_set_header Host localhost:$port;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;
            
            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            
            # Additional headers for better compatibility
            proxy_set_header X-Forwarded-Host localhost:$port;
            proxy_set_header X-Forwarded-Server localhost;
            proxy_set_header X-Forwarded-Port $port;
            proxy_buffering off;
            
            # Handle authentication responses properly
            proxy_intercept_errors off;
        }
        
        # Port forwarding for KiCad - matches /kicad/space/8080, /kicad/space/3001, etc.
        # Routes to localhost ports using HTTPS (for KiCad containers)
        location ~ ^/kicad/space/(\d+)(/.*)?$ {
            set $port $1;
            set $path $2;
            set $target 127.0.0.1:$port;
            
            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }
            
            proxy_pass https://$target$path$is_args$args;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;
            
            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            
            # Additional headers for better compatibility
            proxy_buffering off;
            proxy_read_timeout 86400;
            
            # Handle authentication responses properly
            proxy_intercept_errors off;
            
            # SSL verification settings for self-signed certificates
            proxy_ssl_verify off;
            proxy_ssl_server_name off;
        }
        
        # Port forwarding - matches /space/8080, /space/3001, etc.
        # Routes to localhost ports (containers running in Docker-in-Docker)
        location ~ ^/space/(\d+)(/.*)?$ {
            set $port $1;
            set $path $2;
            set $target 127.0.0.1:$port;
            
            # Block access to internal ports
            if ($port ~ "^(2376|3000)$") {
                return 403;
            }
            
            proxy_pass http://$target$path$is_args$args;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            
            # Pass through authentication headers for HTTP Basic Auth
            proxy_pass_header Authorization;
            proxy_set_header Authorization $http_authorization;
            
            # WebSocket support for development servers
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
            
            # Additional headers for better compatibility
            proxy_buffering off;
            proxy_read_timeout 86400;
            
            # Handle authentication responses properly
            proxy_intercept_errors off;
        }

        # Godot web exports with SharedArrayBuffer support
        location /godot {
            alias /app/playground/godot;
            absolute_redirect off;
            add_header Cross-Origin-Opener-Policy same-origin;
            add_header Cross-Origin-Embedder-Policy require-corp;
            try_files $uri $uri/ =404;
        }

        # Serve static frontend files - must be last
        location / {
            root /app/client/dist;
            try_files $uri $uri/ /index.html;
        }

    }
}