Skip to content

Commit dca1a2d

Browse files
committed
cc
1 parent 77475f3 commit dca1a2d

1 file changed

Lines changed: 78 additions & 29 deletions

File tree

nginx/config/prod.conf

Lines changed: 78 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -1,55 +1,104 @@
1+
# ===============================
2+
# DEFAULT DENY HTTP & HTTPS
3+
# ===============================
14
server {
2-
listen 443 ssl; # remove deprecated 'http2' in listen
3-
server_name monitoring.coldemailgenrator.online;
5+
listen 80 default_server;
6+
server_name _;
7+
return 444;
8+
}
9+
server {
10+
listen 443 ssl default_server;
11+
server_name _;
12+
ssl_reject_handshake on;
13+
}
14+
# ===============================
15+
# HTTP → HTTPS
16+
# ===============================
17+
server {
18+
listen 80;
19+
server_name coldemailgenrator.online www.coldemailgenrator.online;
20+
return 301 https://$host$request_uri;
21+
}
22+
# ===============================
23+
# PUBLIC ACCESS (FRONTEND)
24+
# ===============================
25+
26+
upstream frontend_upstream {
27+
server frontend:8501; # service name + internal port
28+
}
29+
server {
30+
listen 443 ssl http2;
31+
server_name coldemailgenrator.online www.coldemailgenrator.online;
432

533
ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
634
ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
735

8-
##
9-
## TRUSTED PROXIES (allow X-Forwarded-For)
10-
##
11-
set_real_ip_from 127.0.0.1; # localhost
12-
set_real_ip_from 172.16.100.0/27; # VPN subnet
13-
set_real_ip_from 172.17.0.0/16; # Docker bridge
14-
# add any other internal proxy/public IP ranges here
36+
ssl_protocols TLSv1.2 TLSv1.3;
37+
ssl_ciphers HIGH:!aNULL:!MD5;
38+
39+
# ===============================
40+
# SECURITY HEADERS
41+
# ===============================
42+
add_header X-Frame-Options "DENY" always;
43+
add_header X-Content-Type-Options "nosniff" always;
44+
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
45+
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
46+
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
47+
48+
location / {
49+
proxy_pass http://frontend_upstream;
50+
51+
proxy_set_header Host $host;
52+
proxy_set_header X-Real-IP $remote_addr;
53+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
54+
proxy_set_header X-Forwarded-Proto $scheme;
55+
56+
proxy_http_version 1.1;
57+
proxy_set_header Upgrade $http_upgrade;
58+
proxy_set_header Connection "upgrade";
59+
60+
proxy_buffering off;
61+
}
62+
}
1563

16-
real_ip_header X-Forwarded-For;
17-
real_ip_recursive on;
64+
# ===============================
65+
# HTTP → HTTPS (MONITORING)
66+
# ===============================
67+
server {
68+
listen 80;
69+
server_name monitoring.coldemailgenrator.online;
70+
return 301 https://$host$request_uri;
71+
}
72+
# ===============================
73+
# PRIVATE VPN MONITORING (IP ONLY)
74+
# ===============================
75+
server {
76+
listen 443 ssl http2;
77+
server_name monitoring.coldemailgenrator.online;
1878

19-
##
20-
## ACCESS CONTROL
21-
##
79+
ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
80+
ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
81+
82+
# VPN ONLY
2283
allow 172.16.100.0/27;
23-
allow 172.17.0.0/16; # optional, internal Docker
84+
allow 172.17.0.0/16; # Docker bridge subnet
2485
deny all;
2586

26-
##
27-
## PROMETHEUS
28-
##
2987
location /monitoring/prometheus/ {
3088
proxy_pass http://prometheus:9090;
3189
proxy_set_header Host $host;
32-
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
3390
proxy_set_header X-Forwarded-Proto https;
3491
proxy_set_header X-Forwarded-Prefix /monitoring/prometheus;
3592
proxy_redirect off;
3693
}
3794

38-
##
39-
## GRAFANA
40-
##
4195
location /monitoring/grafana/ {
4296
proxy_pass http://grafana:3000;
4397
proxy_set_header Host $host;
44-
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
4598
proxy_set_header X-Forwarded-Proto https;
4699
proxy_set_header X-Forwarded-Prefix /monitoring/grafana;
47100
proxy_redirect off;
48101
}
49-
50-
##
51-
## OPTIONAL: Debug Logging for IPs
52-
##
53-
log_format vpn_full_ips '$remote_addr - $http_x_forwarded_for [$time_local] "$request" $status';
54-
access_log /var/log/nginx/vpn_access.log vpn_full_ips;
55102
}
103+
104+

0 commit comments

Comments
 (0)