180 lines
5.8 KiB
Plaintext
180 lines
5.8 KiB
Plaintext
# Nginx Configuration Example for GNX Web Application
|
|
# This configuration shows how to set up nginx as a reverse proxy
|
|
# to secure the Django API backend
|
|
|
|
# API Key Configuration:
|
|
# - In DEBUG mode, Django will auto-generate a secure API key if not set
|
|
# - To get the current API key, run: python manage.py show_api_key
|
|
# - Add the key to your Django .env file as INTERNAL_API_KEY
|
|
# - Use the same key in this nginx config (see line 69)
|
|
# - In production, you MUST set INTERNAL_API_KEY explicitly in .env
|
|
|
|
upstream django_backend {
|
|
# Django backend running on internal network only
|
|
server 127.0.0.1:8000;
|
|
keepalive 32;
|
|
}
|
|
|
|
upstream nextjs_frontend {
|
|
# Next.js frontend
|
|
server 127.0.0.1:3000;
|
|
keepalive 32;
|
|
}
|
|
|
|
# Rate limiting zones
|
|
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
|
|
limit_req_zone $binary_remote_addr zone=general_limit:10m rate=30r/s;
|
|
|
|
server {
|
|
listen 80;
|
|
server_name gnxsoft.com www.gnxsoft.com;
|
|
|
|
# Redirect HTTP to HTTPS
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name gnxsoft.com www.gnxsoft.com;
|
|
|
|
# SSL Configuration
|
|
ssl_certificate /etc/letsencrypt/live/gnxsoft.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/gnxsoft.com/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# Security Headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/gnxsoft_access.log;
|
|
error_log /var/log/nginx/gnxsoft_error.log;
|
|
|
|
# Client body size limit
|
|
client_max_body_size 10M;
|
|
|
|
# API Endpoints - Proxy to Django backend
|
|
# These requests will have the X-Internal-API-Key header added
|
|
location /api/ {
|
|
# Rate limiting
|
|
limit_req zone=api_limit burst=20 nodelay;
|
|
|
|
# Add custom header to prove request came through nginx
|
|
# This value must match INTERNAL_API_KEY in Django settings
|
|
# Get the current key with: python manage.py show_api_key
|
|
# In development, Django auto-generates this key if not set
|
|
set $api_key "YOUR_SECURE_API_KEY_HERE";
|
|
proxy_set_header X-Internal-API-Key $api_key;
|
|
|
|
# Standard proxy headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
|
|
# Preserve original request headers
|
|
proxy_set_header Origin $http_origin;
|
|
proxy_set_header Referer $http_referer;
|
|
|
|
# Proxy settings
|
|
proxy_pass http://django_backend;
|
|
proxy_redirect off;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
|
|
# Buffering
|
|
proxy_buffering on;
|
|
proxy_buffer_size 4k;
|
|
proxy_buffers 8 4k;
|
|
proxy_busy_buffers_size 8k;
|
|
}
|
|
|
|
# Media files - Serve from Django
|
|
location /media/ {
|
|
alias /path/to/gnx/backEnd/media/;
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# Static files - Serve from Django
|
|
location /static/ {
|
|
alias /path/to/gnx/backEnd/staticfiles/;
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# Admin panel - Only allow from specific IPs (optional)
|
|
location /admin/ {
|
|
# Uncomment to restrict admin access
|
|
# allow 192.168.1.0/24;
|
|
# allow 10.0.0.0/8;
|
|
# deny all;
|
|
|
|
# Same proxy settings as /api/
|
|
# Use the same API key as /api/ location above
|
|
set $api_key "YOUR_SECURE_API_KEY_HERE";
|
|
proxy_set_header X-Internal-API-Key $api_key;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
proxy_pass http://django_backend;
|
|
proxy_redirect off;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Connection "";
|
|
}
|
|
|
|
# Frontend - Proxy to Next.js
|
|
location / {
|
|
# Rate limiting
|
|
limit_req zone=general_limit burst=50 nodelay;
|
|
|
|
# Proxy to Next.js frontend
|
|
proxy_pass http://nextjs_frontend;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
}
|
|
|
|
# Health check endpoint (optional)
|
|
location /health {
|
|
access_log off;
|
|
return 200 "healthy\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
}
|
|
|
|
# Block direct access to backend port 8000 from external IPs
|
|
# This should be done at the firewall level:
|
|
# ufw deny 8000
|
|
# iptables -A INPUT -p tcp --dport 8000 ! -s 127.0.0.1 -j DROP
|
|
|