joh/customer-presentation
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
customer-presentation/deploy/nginx.conf
Arlind Ukshini 1c395c349b Initial commit: project-bifrost auth + timeline
2026-04-22 14:39:16 +02:00

84 lines
3.3 KiB
Nginx Configuration File
Raw Blame History

# ─────────────────────────────────────────────────────────────
# Nginx config for project-bifrost.fenja.ai
#
# Install to: /etc/nginx/sites-available/project-bifrost
# Symlink: sudo ln -sf /etc/nginx/sites-available/project-bifrost \
# /etc/nginx/sites-enabled/project-bifrost
# Test: sudo nginx -t
# Reload: sudo systemctl reload nginx
#
# Assumes certbot has already created /etc/letsencrypt/live/project-bifrost.fenja.ai/
# ─────────────────────────────────────────────────────────────
# Rate-limiting zones — put these in the http {} block of /etc/nginx/nginx.conf
# (or in an /etc/nginx/conf.d/*.conf file). They MUST live at http{} scope,
# not in server{}, so they're shared across workers.
#
# limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m;
#
# If you've already added it, skip it. If not, either paste that one line
# into /etc/nginx/nginx.conf inside http{}, or drop a file at
# /etc/nginx/conf.d/rate-limits.conf containing just that line.
server {
listen 80;
listen [::]:80;
server_name project-bifrost.fenja.ai;
# Let certbot's renewals reach .well-known/acme-challenge on port 80
location /.well-known/acme-challenge/ {
root /var/www/html;
}
# Everything else goes to HTTPS
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name project-bifrost.fenja.ai;
ssl_certificate /etc/letsencrypt/live/project-bifrost.fenja.ai/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/project-bifrost.fenja.ai/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# ─── Security headers ───
# HSTS — after you're confident the cert-and-redirect loop is solid.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Limit body size — we only accept small JSON posts
client_max_body_size 32k;
# Don't leak Nginx version
server_tokens off;
# ─── Extra protection for auth endpoints ───
# Bursts of 10 with a strict 10r/m base rate. Prevents someone from
# script-hammering the verify endpoint.
location /auth/ {
limit_req zone=auth_limit burst=10 nodelay;
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 20s;
}
# ─── Everything else → Node ───
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30s;
}
}
Reference in a new issue View git blame Copy permalink