chore: add nginx deployment smoke test

Add the nginx deployment artifact from PLAN.md. The example config keeps upl behind nginx, sets client_max_body_size to 64 MiB, disables request buffering for chunk uploads, forwards standard proxy headers, and leaves explicit placeholders for TLS certificates and access control before public exposure. Add just nginx-smoke as a reusable Docker-based verification. The script starts upl with a temporary data directory, runs nginx as a reverse proxy, uploads a 17 MiB file through nginx, restarts the Rust backend mid-upload, confirms server progress survives the restart through the proxy, uploads the remaining chunk, completes the upload, and compares SHA-256 hashes. Document the production nginx shape, the local Docker smoke-test caveat, and the manual deployment retest scenario in TESTS.md. Test Plan: - bash -n scripts/nginx-smoke.sh - just check - just nginx-smoke Refs: PLAN.md milestone 9
2026-05-30 17:19:13 +02:00
parent 35cd0657bd
commit 858f4d949c
5 changed files with 225 additions and 0 deletions
@@ -0,0 +1,37 @@
+# Production shape for browser -> nginx -> upl -> local filesystem.
+#
+# Replace server_name, certificate paths, and access control before exposing
+# this app. Keep upl itself bound to 127.0.0.1.
+
+upstream upl_backend {
+    server 127.0.0.1:3000;
+    keepalive 16;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name uploads.example.com;
+
+    ssl_certificate /etc/letsencrypt/live/uploads.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/uploads.example.com/privkey.pem;
+
+    client_max_body_size 64m;
+
+    # Add HTTP basic auth, an IP allowlist, VPN-only access, or another
+    # protection layer before exposing this personal upload tool publicly.
+    # auth_basic "upl";
+    # auth_basic_user_file /etc/nginx/upl.htpasswd;
+
+    location / {
+        proxy_pass http://upl_backend;
+        proxy_http_version 1.1;
+        proxy_request_buffering off;
+        proxy_buffering off;
+        proxy_read_timeout 3600s;
+        proxy_send_timeout 3600s;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto https;
+        proxy_set_header X-Real-IP $remote_addr;
+    }
+}