New branch

configs/nginx.conf

@@ -0,0 +1,135 @@
+# VPN Gateway Nginx Configuration
+# Place in: /etc/nginx/sites-available/vpn-gateway
+
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;
+limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;
+
+# Upstream backend
+upstream vpn_backend {
+    server 127.0.0.1:5000 fail_timeout=10s;
+    keepalive 32;
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    
+    # Access and error logs
+    access_log /var/log/nginx/vpn-gateway.access.log;
+    error_log /var/log/nginx/vpn-gateway.error.log;
+    
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;
+    
+    # Connection limits
+    limit_conn vpn_conn 10;
+    
+    # Client body size (for config uploads)
+    client_max_body_size 1M;
+    client_body_buffer_size 128k;
+    
+    # Timeouts
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    send_timeout 10s;
+    
+    # Root location - WebUI
+    location / {
+        limit_req zone=vpn_general burst=20 nodelay;
+        
+        proxy_pass http://vpn_backend;
+        proxy_http_version 1.1;
+        
+        # Headers
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # WebSocket support
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        
+        # Timeouts for proxy
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+        
+        # Buffering
+        proxy_buffering off;
+        proxy_request_buffering off;
+    }
+    
+    # API endpoints - stricter rate limiting
+    location /api/ {
+        limit_req zone=vpn_api burst=10 nodelay;
+        limit_conn vpn_conn 5;
+        
+        proxy_pass http://vpn_backend;
+        proxy_http_version 1.1;
+        
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        
+        # API specific timeouts
+        proxy_connect_timeout 30s;
+        proxy_send_timeout 30s;
+        proxy_read_timeout 30s;
+    }
+    
+    # Static files (if any)
+    location /static/ {
+        alias /opt/vpn-gateway/static/;
+        expires 1h;
+        add_header Cache-Control "public, immutable";
+    }
+    
+    # Health check endpoint
+    location /health {
+        access_log off;
+        add_header Content-Type text/plain;
+        return 200 "healthy\n";
+    }
+    
+    # Block sensitive paths
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    
+    # Block access to backup files
+    location ~ ~$ {
+        deny all;
+    }
+}
+
+# HTTPS configuration (optional - uncomment if using SSL)
+# server {
+#     listen 443 ssl http2;
+#     listen [::]:443 ssl http2;
+#     server_name vpn.yourdomain.com;
+#     
+#     ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;
+#     ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;
+#     
+#     # SSL configuration
+#     ssl_protocols TLSv1.2 TLSv1.3;
+#     ssl_ciphers HIGH:!aNULL:!MD5;
+#     ssl_prefer_server_ciphers on;
+#     ssl_session_cache shared:SSL:10m;
+#     ssl_session_timeout 10m;
+#     
+#     # HSTS
+#     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+#     
+#     # Rest of configuration same as above...
+# }