135 lines
3.8 KiB
Nginx Configuration File
135 lines
3.8 KiB
Nginx Configuration File
# VPN Gateway Nginx Configuration
|
|
# Place in: /etc/nginx/sites-available/vpn-gateway
|
|
|
|
# Rate limiting zones
|
|
limit_req_zone $binary_remote_addr zone=vpn_general:10m rate=10r/s;
|
|
limit_req_zone $binary_remote_addr zone=vpn_api:10m rate=5r/s;
|
|
limit_conn_zone $binary_remote_addr zone=vpn_conn:10m;
|
|
|
|
# Upstream backend
|
|
upstream vpn_backend {
|
|
server 127.0.0.1:5000 fail_timeout=10s;
|
|
keepalive 32;
|
|
}
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name _;
|
|
|
|
# Access and error logs
|
|
access_log /var/log/nginx/vpn-gateway.access.log;
|
|
error_log /var/log/nginx/vpn-gateway.error.log;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; font-src 'self' data:;" always;
|
|
|
|
# Connection limits
|
|
limit_conn vpn_conn 10;
|
|
|
|
# Client body size (for config uploads)
|
|
client_max_body_size 1M;
|
|
client_body_buffer_size 128k;
|
|
|
|
# Timeouts
|
|
client_body_timeout 10s;
|
|
client_header_timeout 10s;
|
|
send_timeout 10s;
|
|
|
|
# Root location - WebUI
|
|
location / {
|
|
limit_req zone=vpn_general burst=20 nodelay;
|
|
|
|
proxy_pass http://vpn_backend;
|
|
proxy_http_version 1.1;
|
|
|
|
# Headers
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# WebSocket support
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
|
|
# Timeouts for proxy
|
|
proxy_connect_timeout 60s;
|
|
proxy_send_timeout 60s;
|
|
proxy_read_timeout 60s;
|
|
|
|
# Buffering
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
}
|
|
|
|
# API endpoints - stricter rate limiting
|
|
location /api/ {
|
|
limit_req zone=vpn_api burst=10 nodelay;
|
|
limit_conn vpn_conn 5;
|
|
|
|
proxy_pass http://vpn_backend;
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
# API specific timeouts
|
|
proxy_connect_timeout 30s;
|
|
proxy_send_timeout 30s;
|
|
proxy_read_timeout 30s;
|
|
}
|
|
|
|
# Static files (if any)
|
|
location /static/ {
|
|
alias /opt/vpn-gateway/static/;
|
|
expires 1h;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# Health check endpoint
|
|
location /health {
|
|
access_log off;
|
|
add_header Content-Type text/plain;
|
|
return 200 "healthy\n";
|
|
}
|
|
|
|
# Block sensitive paths
|
|
location ~ /\. {
|
|
deny all;
|
|
access_log off;
|
|
log_not_found off;
|
|
}
|
|
|
|
# Block access to backup files
|
|
location ~ ~$ {
|
|
deny all;
|
|
}
|
|
}
|
|
|
|
# HTTPS configuration (optional - uncomment if using SSL)
|
|
# server {
|
|
# listen 443 ssl http2;
|
|
# listen [::]:443 ssl http2;
|
|
# server_name vpn.yourdomain.com;
|
|
#
|
|
# ssl_certificate /etc/letsencrypt/live/vpn.yourdomain.com/fullchain.pem;
|
|
# ssl_certificate_key /etc/letsencrypt/live/vpn.yourdomain.com/privkey.pem;
|
|
#
|
|
# # SSL configuration
|
|
# ssl_protocols TLSv1.2 TLSv1.3;
|
|
# ssl_ciphers HIGH:!aNULL:!MD5;
|
|
# ssl_prefer_server_ciphers on;
|
|
# ssl_session_cache shared:SSL:10m;
|
|
# ssl_session_timeout 10m;
|
|
#
|
|
# # HSTS
|
|
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
#
|
|
# # Rest of configuration same as above...
|
|
# }
|