# Ginxsom Blossom Server Configuration # This configuration serves files directly via nginx for maximum performance # while handling authenticated operations through FastCGI server { listen 80; server_name localhost; # Change this to your domain # Root directory for blossom files (organized by SHA-256 hash) root /var/lib/ginxsom/files; # Maximum upload size (adjust as needed) client_max_body_size 100M; # Security headers add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; add_header X-XSS-Protection "1; mode=block"; # Logging access_log /var/log/nginx/ginxsom_access.log; error_log /var/log/nginx/ginxsom_error.log; # Static file serving - nginx handles this directly for maximum performance # Files are stored as: /var/lib/ginxsom/files/{first2chars}/{remaining_hash} location ~ ^/([a-f0-9]{64})$ { set $hash $1; set $prefix $1; # First 2 characters set $suffix $1; # Remaining characters # Extract first 2 chars and remaining if ($hash ~ ^([a-f0-9]{2})([a-f0-9]{62})$) { set $prefix $1; set $suffix $2; } try_files /$prefix/$suffix =404; # Set proper content type based on file extension in metadata # This will be enhanced when we add metadata lookup add_header Content-Type application/octet-stream; add_header Cache-Control "public, max-age=31536000, immutable"; } # HEAD requests for file existence checking # This endpoint checks if a file exists and returns metadata location ~ ^/head/([a-f0-9]{64})$ { # Pass to FastCGI application for metadata lookup include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_param REQUEST_METHOD HEAD; fastcgi_param BLOSSOM_HASH $1; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; } # Upload endpoint - requires authentication location /upload { # Pass to FastCGI application for processing include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; # Only allow PUT method for uploads if ($request_method !~ ^(PUT)$ ) { return 405; } } # List endpoint - returns list of files (if enabled) location /list { # Pass to FastCGI application include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; # Only allow GET method if ($request_method !~ ^(GET)$ ) { return 405; } } # Mirror endpoint - for mirroring files from other servers location /mirror { # Pass to FastCGI application include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; # Only allow PUT method if ($request_method !~ ^(PUT)$ ) { return 405; } } # Delete endpoint - requires authentication location ~ ^/([a-f0-9]{64})$ { # Handle DELETE requests through FastCGI if ($request_method = DELETE) { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_param BLOSSOM_HASH $1; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; } # For GET/HEAD, fall through to static file serving above } # Health check endpoint location /health { # Pass to FastCGI application include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root/ginxsom.fcgi; fastcgi_pass unix:/run/ginxsom/ginxsom.sock; access_log off; } # Deny access to hidden files and directories location ~ /\. { deny all; access_log off; log_not_found off; } # Deny access to backup and temporary files location ~ ~$ { deny all; access_log off; log_not_found off; } }