mvpg/configs/nginx.conf

# VPN Gateway Nginx Configuration
# Place in: /etc/nginx/sites-available/vpn-gateway

# Rate limiting zones
limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;

# Upstream backend
upstream vpn_backend {
    server 127.0.0.1:5000 fail_timeout=10s;
    keepalive 32;
}

server {
    listen 80;
    listen [::]:80;
    server_name _;
    
    # Access and error logs
    access_log /var/log/nginx/vpn-gateway.access.log;
    error_log /var/log/nginx/vpn-gateway.error.log;
    
    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;
    
    # Connection limits
    limit_conn vpn_conn 10;
    
    # Client body size (for config uploads)
    client_max_body_size 1M;
    client_body_buffer_size 128k;
    
    # Timeouts
    client_body_timeout 10s;
    client_header_timeout 10s;
    send_timeout 10s;
    
    # Root location - WebUI
    location / {
        limit_req zone=vpn_general burst=20 nodelay;
        
        proxy_pass http://vpn_backend;
        proxy_http_version 1.1;
        
        # Headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # WebSocket support
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        # Timeouts for proxy
        proxy_connect_timeout 60s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;
        
        # Buffering
        proxy_buffering off;
        proxy_request_buffering off;
    }
    
    # API endpoints - stricter rate limiting
    location /api/ {
        limit_req zone=vpn_api burst=10 nodelay;
        limit_conn vpn_conn 5;
        
        proxy_pass http://vpn_backend;
        proxy_http_version 1.1;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        # API specific timeouts
        proxy_connect_timeout 30s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;
    }
    
    # Static files (if any)
    location /static/ {
        alias /opt/vpn-gateway/static/;
        expires 1h;
        add_header Cache-Control "public, immutable";
    }
    
    # Health check endpoint
    location /health {
        access_log off;
        add_header Content-Type text/plain;
        return 200 "healthy\n";
    }
    
    # Block sensitive paths
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }
    
    # Block access to backup files
    location ~ ~$ {
        deny all;
    }
}

# HTTPS configuration (optional - uncomment if using SSL)
# server {
#     listen 443 ssl http2;
#     listen [::]:443 ssl http2;
#     server_name vpn.yourdomain.com;
#     
#     ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;
#     
#     # SSL configuration
#     ssl_protocols TLSv1.2 TLSv1.3;
#     ssl_ciphers HIGH:!aNULL:!MD5;
#     ssl_prefer_server_ciphers on;
#     ssl_session_cache shared:SSL:10m;
#     ssl_session_timeout 10m;
#     
#     # HSTS
#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
#     
#     # Rest of configuration same as above...
# }
New branch 2025-08-10 15:34:34 +02:00			`# VPN Gateway Nginx Configuration`
			`# Place in: /etc/nginx/sites-available/vpn-gateway`

			`# Rate limiting zones`
			`limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;`
			`limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;`
			`limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;`

			`# Upstream backend`
			`upstream vpn_backend {`
			`server 127.0.0.1:5000 fail_timeout=10s;`
			`keepalive 32;`
			`}`

			`server {`
			`listen 80;`
			`listen [::]:80;`
			`server_name _;`

			`# Access and error logs`
			`access_log /var/log/nginx/vpn-gateway.access.log;`
			`error_log /var/log/nginx/vpn-gateway.error.log;`

			`# Security headers`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`
			`add_header Referrer-Policy "strict-origin-when-cross-origin" always;`
			`add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;`

			`# Connection limits`
			`limit_conn vpn_conn 10;`

			`# Client body size (for config uploads)`
			`client_max_body_size 1M;`
			`client_body_buffer_size 128k;`

			`# Timeouts`
			`client_body_timeout 10s;`
			`client_header_timeout 10s;`
			`send_timeout 10s;`

			`# Root location - WebUI`
			`location / {`
			`limit_req zone=vpn_general burst=20 nodelay;`

			`proxy_pass http://vpn_backend;`
			`proxy_http_version 1.1;`

			`# Headers`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`

			`# WebSocket support`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection "upgrade";`

			`# Timeouts for proxy`
			`proxy_connect_timeout 60s;`
			`proxy_send_timeout 60s;`
			`proxy_read_timeout 60s;`

			`# Buffering`
			`proxy_buffering off;`
			`proxy_request_buffering off;`
			`}`

			`# API endpoints - stricter rate limiting`
			`location /api/ {`
			`limit_req zone=vpn_api burst=10 nodelay;`
			`limit_conn vpn_conn 5;`

			`proxy_pass http://vpn_backend;`
			`proxy_http_version 1.1;`

			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`

			`# API specific timeouts`
			`proxy_connect_timeout 30s;`
			`proxy_send_timeout 30s;`
			`proxy_read_timeout 30s;`
			`}`

			`# Static files (if any)`
			`location /static/ {`
			`alias /opt/vpn-gateway/static/;`
			`expires 1h;`
			`add_header Cache-Control "public, immutable";`
			`}`

			`# Health check endpoint`
			`location /health {`
			`access_log off;`
			`add_header Content-Type text/plain;`
			`return 200 "healthy\n";`
			`}`

			`# Block sensitive paths`
			`location ~ /\. {`
			`deny all;`
			`access_log off;`
			`log_not_found off;`
			`}`

			`# Block access to backup files`
			`location ~ ~$ {`
			`deny all;`
			`}`
			`}`

			`# HTTPS configuration (optional - uncomment if using SSL)`
			`# server {`
			`# listen 443 ssl http2;`
			`# listen [::]:443 ssl http2;`
			`# server_name vpn.yourdomain.com;`
			`#`
			`# ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;`
			`# ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;`
			`#`
			`# # SSL configuration`
			`# ssl_protocols TLSv1.2 TLSv1.3;`
			`# ssl_ciphers HIGH:!aNULL:!MD5;`
			`# ssl_prefer_server_ciphers on;`
			`# ssl_session_cache shared:SSL:10m;`
			`# ssl_session_timeout 10m;`
			`#`
			`# # HSTS`
			`# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;`
			`#`
			`# # Rest of configuration same as above...`
			`# }`