Update nginx.conf

2026-03-21 11:01:39 +07:00
parent bb3d2c27dd
commit 0544ac9cbe
1 changed files with 18 additions and 21 deletions
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -32,23 +32,16 @@ http {
    client_max_body_size 50m;
    gzip off;

+    # --- DNS resolver (Google + Cloudflare, re-resolve every 30s) ---
+    resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
+    resolver_timeout 5s;
+
    # --- IP allowlist (generated at container start) ---
    include /etc/nginx/conf.d/allowlist.conf;

    # --- Token auth ---
    include /etc/nginx/conf.d/auth.conf;

-    # --- Upstreams with keepalive ---
-    upstream elevenlabs_backend {
-        server api.elevenlabs.io:443;
-        keepalive 32;
-    }
-
-    upstream openai_backend {
-        server api.openai.com:443;
-        keepalive 32;
-    }
-
    server {
        listen 8080;
        server_name _;
@@ -70,21 +63,25 @@ http {
                return 403 '{"error":"invalid_token"}';
            }

+            # Variable forces runtime DNS resolution (not cached at startup)
+            set $elevenlabs_upstream https://api.elevenlabs.io;
+
            # Strip /elevenlabs/ prefix and proxy
            rewrite ^/elevenlabs/(.*) /$1 break;

-            proxy_pass https://elevenlabs_backend;
+            proxy_pass $elevenlabs_upstream;
            proxy_ssl_server_name on;
            proxy_ssl_name api.elevenlabs.io;
+            proxy_ssl_protocols TLSv1.2 TLSv1.3;

-            # Pass original Host header for SNI
+            # Host header must match upstream for Cloudflare
            proxy_set_header Host api.elevenlabs.io;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Pass through original headers (User-Agent, Accept, etc.)
+            # Do NOT set X-Real-IP or X-Forwarded-For — Cloudflare uses them for bot detection
            proxy_set_header Connection "";

-            # Do NOT forward proxy token to upstream
+            # Remove proxy token before forwarding to upstream
            proxy_set_header X-Proxy-Token "";

            # HTTP/1.1 for keepalive
@@ -106,16 +103,16 @@ http {
                return 403 '{"error":"invalid_token"}';
            }

+            set $openai_upstream https://api.openai.com;
+
            rewrite ^/openai/(.*) /$1 break;

-            proxy_pass https://openai_backend;
+            proxy_pass $openai_upstream;
            proxy_ssl_server_name on;
            proxy_ssl_name api.openai.com;
+            proxy_ssl_protocols TLSv1.2 TLSv1.3;

            proxy_set_header Host api.openai.com;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Connection "";
            proxy_set_header X-Proxy-Token "";