226 lines
7.1 KiB
Nginx Configuration File
226 lines
7.1 KiB
Nginx Configuration File
# Nginx Configuration for Moyos Wedding App
|
|
#
|
|
# This configuration provides:
|
|
# - TLS/SSL termination with Let's Encrypt
|
|
# - Load balancing across PM2 instances
|
|
# - Rate limiting
|
|
# - Security headers
|
|
# - Gzip compression
|
|
# - Static file caching
|
|
# - WebSocket support for real-time features
|
|
#
|
|
# Installation:
|
|
# 1. Copy to /etc/nginx/sites-available/moyos-wedding-app
|
|
# 2. Create symlink: ln -s /etc/nginx/sites-available/moyos-wedding-app /etc/nginx/sites-enabled/
|
|
# 3. Replace 'your-domain.com' with your actual domain
|
|
# 4. Test: nginx -t
|
|
# 5. Reload: systemctl reload nginx
|
|
#
|
|
# SSL Certificate:
|
|
# certbot --nginx -d your-domain.com -d www.your-domain.com
|
|
|
|
# Rate limiting zones
|
|
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/m;
|
|
limit_req_zone $binary_remote_addr zone=general:10m rate=200r/m;
|
|
limit_req_zone $binary_remote_addr zone=upload:10m rate=10r/m;
|
|
|
|
# Upstream for load balancing across PM2 instances
|
|
upstream app {
|
|
least_conn;
|
|
server 127.0.0.1:3000;
|
|
server 127.0.0.1:3001;
|
|
keepalive 32;
|
|
}
|
|
|
|
# HTTP to HTTPS redirect
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name your-domain.com www.your-domain.com;
|
|
|
|
# Let's Encrypt challenge
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/certbot;
|
|
}
|
|
|
|
# Redirect all other traffic to HTTPS
|
|
location / {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
}
|
|
|
|
# HTTPS server
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name your-domain.com www.your-domain.com;
|
|
|
|
# SSL configuration
|
|
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA256';
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
ssl_session_tickets off;
|
|
|
|
# OCSP stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_trusted_certificate /etc/letsencrypt/live/your-domain.com/chain.pem;
|
|
resolver 8.8.8.8 8.8.4.4 valid=300s;
|
|
resolver_timeout 5s;
|
|
|
|
# Security headers
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
add_header X-Frame-Options "DENY" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://*.supabase.co wss://*.supabase.co;" always;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_min_length 1024;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types
|
|
text/plain
|
|
text/css
|
|
text/xml
|
|
text/javascript
|
|
application/json
|
|
application/javascript
|
|
application/xml+rss
|
|
application/rss+xml
|
|
font/truetype
|
|
font/opentype
|
|
application/vnd.ms-fontobject
|
|
image/svg+xml;
|
|
|
|
# Client body size limit (for file uploads)
|
|
client_max_body_size 10M;
|
|
client_body_buffer_size 128k;
|
|
client_body_timeout 60s;
|
|
client_header_timeout 60s;
|
|
|
|
# Timeouts
|
|
proxy_connect_timeout 75s;
|
|
proxy_send_timeout 300s;
|
|
proxy_read_timeout 300s;
|
|
send_timeout 300s;
|
|
|
|
# API routes with rate limiting
|
|
location /api/ {
|
|
limit_req zone=api burst=20 nodelay;
|
|
limit_req_status 429;
|
|
|
|
proxy_pass http://app;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
|
|
# Buffering
|
|
proxy_buffering on;
|
|
proxy_buffer_size 4k;
|
|
proxy_buffers 8 4k;
|
|
proxy_busy_buffers_size 8k;
|
|
}
|
|
|
|
# File upload endpoints with stricter rate limiting
|
|
location ~ ^/api/(gallery|upload) {
|
|
limit_req zone=upload burst=5 nodelay;
|
|
limit_req_status 429;
|
|
|
|
proxy_pass http://app;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 300s;
|
|
proxy_connect_timeout 75s;
|
|
}
|
|
|
|
# WebSocket support for real-time features
|
|
location /api/realtime {
|
|
proxy_pass http://app;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 86400s;
|
|
proxy_send_timeout 86400s;
|
|
}
|
|
|
|
# Static files caching (Next.js build output)
|
|
location /_next/static {
|
|
proxy_pass http://app;
|
|
proxy_cache_valid 200 365d;
|
|
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
|
|
proxy_cache_background_update on;
|
|
add_header Cache-Control "public, immutable, max-age=31536000";
|
|
access_log off;
|
|
}
|
|
|
|
# Public static files
|
|
location /uploads {
|
|
proxy_pass http://app;
|
|
proxy_cache_valid 200 7d;
|
|
add_header Cache-Control "public, max-age=604800";
|
|
access_log off;
|
|
}
|
|
|
|
# Health check endpoint (no rate limiting, no logging)
|
|
location /api/health {
|
|
access_log off;
|
|
proxy_pass http://app;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
# Metrics endpoint (restricted access recommended)
|
|
location /api/metrics {
|
|
# Optional: Restrict to internal IPs
|
|
# allow 10.0.0.0/8;
|
|
# deny all;
|
|
|
|
access_log off;
|
|
proxy_pass http://app;
|
|
proxy_set_header Host $host;
|
|
}
|
|
|
|
# All other routes
|
|
location / {
|
|
limit_req zone=general burst=50 nodelay;
|
|
|
|
proxy_pass http://app;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection 'upgrade';
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_cache_bypass $http_upgrade;
|
|
}
|
|
|
|
# Deny access to hidden files
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
}
|