updates

backEnd/nginx.conf.example

@@ -0,0 +1,173 @@
+# Nginx Configuration Example for GNX Web Application
+# This configuration shows how to set up nginx as a reverse proxy
+# to secure the Django API backend
+
+# Generate a secure API key for INTERNAL_API_KEY:
+# python -c "import secrets; print(secrets.token_urlsafe(32))"
+# Add this key to your Django .env file as INTERNAL_API_KEY
+
+upstream django_backend {
+    # Django backend running on internal network only
+    server 127.0.0.1:8000;
+    keepalive 32;
+}
+
+upstream nextjs_frontend {
+    # Next.js frontend
+    server 127.0.0.1:3000;
+    keepalive 32;
+}
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=general_limit:10m rate=30r/s;
+
+server {
+    listen 80;
+    server_name gnxsoft.com www.gnxsoft.com;
+    
+    # Redirect HTTP to HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name gnxsoft.com www.gnxsoft.com;
+
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/gnxsoft.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/gnxsoft.com/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 10m;
+
+    # Security Headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
+
+    # Logging
+    access_log /var/log/nginx/gnxsoft_access.log;
+    error_log /var/log/nginx/gnxsoft_error.log;
+
+    # Client body size limit
+    client_max_body_size 10M;
+
+    # API Endpoints - Proxy to Django backend
+    # These requests will have the X-Internal-API-Key header added
+    location /api/ {
+        # Rate limiting
+        limit_req zone=api_limit burst=20 nodelay;
+        
+        # Add custom header to prove request came through nginx
+        # This value must match INTERNAL_API_KEY in Django settings
+        set $api_key "YOUR_SECURE_API_KEY_HERE";
+        proxy_set_header X-Internal-API-Key $api_key;
+        
+        # Standard proxy headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Preserve original request headers
+        proxy_set_header Origin $http_origin;
+        proxy_set_header Referer $http_referer;
+        
+        # Proxy settings
+        proxy_pass http://django_backend;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+        proxy_busy_buffers_size 8k;
+    }
+
+    # Media files - Serve from Django
+    location /media/ {
+        alias /path/to/gnx/backEnd/media/;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Static files - Serve from Django
+    location /static/ {
+        alias /path/to/gnx/backEnd/staticfiles/;
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        access_log off;
+    }
+
+    # Admin panel - Only allow from specific IPs (optional)
+    location /admin/ {
+        # Uncomment to restrict admin access
+        # allow 192.168.1.0/24;
+        # allow 10.0.0.0/8;
+        # deny all;
+        
+        # Same proxy settings as /api/
+        set $api_key "YOUR_SECURE_API_KEY_HERE";
+        proxy_set_header X-Internal-API-Key $api_key;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        proxy_pass http://django_backend;
+        proxy_redirect off;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+    }
+
+    # Frontend - Proxy to Next.js
+    location / {
+        # Rate limiting
+        limit_req zone=general_limit burst=50 nodelay;
+        
+        # Proxy to Next.js frontend
+        proxy_pass http://nextjs_frontend;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # Health check endpoint (optional)
+    location /health {
+        access_log off;
+        return 200 "healthy\n";
+        add_header Content-Type text/plain;
+    }
+}
+
+# Block direct access to backend port 8000 from external IPs
+# This should be done at the firewall level:
+# ufw deny 8000
+# iptables -A INPUT -p tcp --dport 8000 ! -s 127.0.0.1 -j DROP
+