# NPMplus custom Nginx configuration **Purpose:** Reference for editing proxy hosts in NPMplus when adding security headers or custom directives. **Important:** Adding `location '/'` in custom config **overwrites** the proxy; use headers only or a custom `'/'` location as needed. --- ## Proxy details as Nginx variables In **Custom Nginx Configuration** for a proxy host, these variables are available: | Variable | Meaning | |----------|--------| | `$server` | Backend domain or IP (e.g. `192.168.11.140`) | | `$port` | Backend port (e.g. `80`) | | `$forward_scheme` | Scheme to backend: `http` or `https` | | `$forward_path` | Optional path forwarded to backend | Use them if you need to reference the proxy target in custom blocks. --- ## Safe custom config (headers only) To add **security headers** (including CSP with `'unsafe-eval'` for ethers.js v5) **without** replacing the proxy, paste the following in **Custom Nginx Configuration**. Do **not** add a `location '/'` block here, or it will overwrite the proxy to the backend. ```nginx # Security Headers (unsafe-eval for ethers.js v5) add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https: data:; style-src 'self' 'unsafe-inline' https: data:; font-src 'self' https: data:; img-src 'self' data: https: blob:; connect-src 'self' https: wss: ws:; media-src 'self' https: data:; object-src 'none'; base-uri 'self'; form-action 'self' https:; frame-ancestors 'none'; upgrade-insecure-requests" always; ``` These directives apply in the context where NPMplus injects them (typically the proxy location). If your NPMplus version supports **more_set_headers** (from the headers-more module), you can use that instead of `add_header` for more control. --- ## Caveats (from NPMplus) - **Adding `location '/'`** in custom config **overwrites** the proxy configuration for that host. The request will no longer be forwarded to `$server:$port`. - If you need directives **inside** the `'/'` location, create a **custom location** for `'/'` in the UI (e.g. “Custom locations” → add location path `/`) instead of putting `location / { ... }` in the custom Nginx snippet. - For **headers only**, prefer the snippet above (or **more_set_headers** if available); no `location` block is needed. --- ## Example use - **Explorer (explorer.d-bis.org):** Proxy target `http://192.168.11.140:80`. Pasting the security-headers block above into “Custom Nginx Configuration” adds CSP and other headers without changing the proxy. Backend (VMID 5000) still serves the custom frontend and APIs.