ragflow.https.conf

Overview

The ragflow.https.conf file is an Nginx configuration file designed to securely serve the Ragflow web application over HTTPS. It manages HTTP to HTTPS redirection, SSL termination, static asset caching, gzip compression, and reverse proxying API requests to the backend service. This file ensures that all client requests are served efficiently, securely, and reliably while enabling modern web features such as caching and compression.

Detailed Explanation

Server Blocks

The configuration consists of two server blocks:

1. HTTP Server Block (Port 80)

server {
    listen 80;
    server_name your-ragflow-domain.com;
    return 301 https://$host$request_uri;
}

• Purpose: Redirect all HTTP traffic to HTTPS.

• Key Directives:

  • listen 80; — Listens on port 80 for HTTP connections.

  • server_name your-ragflow-domain.com; — Matches requests for the specified domain.

  • return 301 https://$host$request_uri; — Issues a permanent redirect (HTTP 301) to the HTTPS version of the URL, preserving the host and request URI.

Usage: This block enforces secure connections by redirecting any HTTP requests to HTTPS.

2. HTTPS Server Block (Port 443)

server {
    listen 443 ssl;
    server_name your-ragflow-domain.com;

    ssl_certificate /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/privkey.pem;

    root /ragflow/web/dist;

    gzip on;
    gzip_min_length 1k;
    gzip_comp_level 9;
    gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
    gzip_vary on;
    gzip_disable "MSIE [1-6]\.";

    location ~ ^/(v1|api) {
        proxy_pass http://ragflow:9380;
        include proxy.conf;
    }

    location / {
        index index.html;
        try_files $uri $uri/ /index.html;
    }

    location ~ ^/static/(css|js|media)/ {
        expires 10y;
        access_log off;
    }
}

Explanation of Directives:

• SSL Configuration

  • listen 443 ssl; — Listens on port 443 with SSL enabled.

  • ssl_certificate and ssl_certificate_key — Paths to SSL certificate and private key files for HTTPS encryption.

• Document Root

  • root /ragflow/web/dist; — Sets the root directory for serving static files (likely the built frontend).

• Gzip Compression

  • gzip on; — Enables gzip compression.

  • gzip_min_length 1k; — Compress responses larger than 1KB.

  • gzip_comp_level 9; — Sets maximum compression level.

  • gzip_types — Specifies MIME types to compress (e.g., JavaScript, CSS, images).

  • gzip_vary on; — Sets Vary: Accept-Encoding header to support caching proxies.

  • gzip_disable "MSIE [1-6]." — Disables gzip for old Internet Explorer versions with buggy compression support.

• Location Blocks

  1. API Proxying

     location ~ ^/(v1|api) {
         proxy_pass http://ragflow:9380;
         include proxy.conf;
     }
     

     • Matches requests starting with /v1 or /api (typical API endpoints).

     • Proxies these requests to the Ragflow backend service at http://ragflow:9380.

     • Includes additional proxy configuration via proxy.conf (not provided here but usually contains headers and timeout settings).

  2. Frontend Single Page Application (SPA) Handling

     location / {
         index index.html;
         try_files $uri $uri/ /index.html;
     }
     

     • Serves the frontend application.

     • index index.html; serves the index file by default.

     • try_files attempts to serve the requested URI, fallback to index.html for SPA routing (enables client-side routing).

  3. Static Assets Caching

     location ~ ^/static/(css|js|media)/ {
         expires 10y;
         access_log off;
     }
     

     • Matches static asset requests inside /static/css/, /static/js/, or /static/media/.

     • Sets a far-future expiration header (10 years) to leverage browser caching.

     • Disables access logging for these static files to reduce log noise.

Important Implementation Details

• HTTP to HTTPS Redirection: Ensures security by forcing encrypted connections.

• Reverse Proxy: Segregates frontend and backend concerns; frontend served by Nginx, backend API served by the Ragflow service container (ragflow:9380).

• SPA Fallback: try_files with fallback to index.html supports single-page applications where routing is handled client-side.

• Aggressive Caching: Static files are cached for a very long time to minimize bandwidth and improve load times.

• Gzip Compression: Optimizes bandwidth by compressing responses for supported MIME types.

• SSL Termination: Nginx handles SSL/TLS, offloading encryption from backend services.

Interaction with Other System Components

• Backend API Service: The file proxies API requests to the Ragflow backend running on the internal hostname ragflow at port 9380. This implies a Docker or containerized environment where ragflow is a service name resolvable by Nginx.

• Frontend Application: Serves the static frontend files from /ragflow/web/dist, likely a compiled build directory produced by a frontend framework (e.g., React, Vue, Angular).

• Proxy Configuration (proxy.conf): Additional proxy settings are included from an external file, which may specify headers, timeouts, or connection pooling parameters.

• SSL Certificates: The SSL certificate and key must be provisioned and renewed (e.g., via Let's Encrypt) at the specified paths.

Usage Examples

Deploying Ragflow with This Configuration

1. Place this configuration file under /etc/nginx/conf.d/ragflow.https.conf or include it in your main Nginx config.

2. Ensure SSL certificates are present at /etc/nginx/ssl/fullchain.pem and /etc/nginx/ssl/privkey.pem.

3. Make sure the Ragflow backend service is accessible at http://ragflow:9380.

4. Place the frontend build files in /ragflow/web/dist.

5. Reload or restart Nginx to apply changes:

   sudo nginx -t && sudo systemctl reload nginx
   

6. Access the application at https://your-ragflow-domain.com.

Mermaid Diagram: Flowchart of Request Handling

flowchart TD
    A[Client Request] -->|HTTP (port 80)| B[HTTP Server Block]
    B -->|301 Redirect| C[Client Redirect to HTTPS]
    A -->|HTTPS (port 443)| D[HTTPS Server Block]
    D --> E{Request URI}
    E -->|/^\/(v1|api)/| F[Proxy to Backend API (http://ragflow:9380)]
    E -->|/^\/static\/(css|js|media)/| G[Serve Static Files with 10y Cache]
    E -->|Other URIs| H[Serve Frontend Files]
    H --> I[try_files $uri $uri/ /index.html]

Explanation:

• Requests to port 80 are redirected to HTTPS.

• HTTPS requests are routed based on their URI:

  • API calls are proxied to backend.

  • Static assets served with long cache expiry.

  • All other requests serve the SPA frontend with fallback to index.html.

Summary

This Nginx configuration file is central to deploying the Ragflow web application securely and efficiently. It implements HTTPS enforcement, static asset optimization, SPA routing, and backend API proxying, integrating the frontend and backend seamlessly. The configuration is designed for production environments with security, performance, and maintainability in mind.