cc

deep-div · deep-div · commit dca1a2df9a0f · 2025-12-26T20:10:31.000+05:30
diff --git a/nginx/config/prod.conf b/nginx/config/prod.conf
@@ -1,55 +1,104 @@
+# ===============================
+# DEFAULT DENY HTTP & HTTPS
+# ===============================
 server {
-    listen 443 ssl;  # remove deprecated 'http2' in listen
-    server_name monitoring.coldemailgenrator.online;
+    listen 80 default_server;
+    server_name _;
+    return 444;
+}
+server {
+    listen 443 ssl default_server;
+    server_name _;
+    ssl_reject_handshake on;
+}
+# ===============================
+# HTTP → HTTPS
+# ===============================
+server {
+    listen 80;
+    server_name coldemailgenrator.online www.coldemailgenrator.online;
+    return 301 https://$host$request_uri;
+}
+# ===============================
+# PUBLIC ACCESS (FRONTEND)
+# ===============================
+
+upstream frontend_upstream {
+    server frontend:8501;  # service name + internal port
+}
+server {
+    listen 443 ssl http2;
+    server_name coldemailgenrator.online www.coldemailgenrator.online;
 
     ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
 
-    ##
-    ## TRUSTED PROXIES (allow X-Forwarded-For)
-    ##
-    set_real_ip_from 127.0.0.1;        # localhost
-    set_real_ip_from 172.16.100.0/27;  # VPN subnet
-    set_real_ip_from 172.17.0.0/16;    # Docker bridge
-    # add any other internal proxy/public IP ranges here
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+    
+    # ===============================
+    # SECURITY HEADERS
+    # ===============================
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+
+    location / {
+        proxy_pass http://frontend_upstream;
+
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_buffering off;
+    }
+}
 
-    real_ip_header X-Forwarded-For;
-    real_ip_recursive on;
+# ===============================
+# HTTP → HTTPS (MONITORING)
+# ===============================
+server {
+    listen 80;
+    server_name monitoring.coldemailgenrator.online;
+    return 301 https://$host$request_uri;
+}
+# ===============================
+# PRIVATE VPN MONITORING (IP ONLY)
+# ===============================
+server {
+    listen 443 ssl http2;
+    server_name monitoring.coldemailgenrator.online;
 
-    ##
-    ## ACCESS CONTROL
-    ##
+    ssl_certificate /etc/letsencrypt/live/coldemailgenrator.online/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/coldemailgenrator.online/privkey.pem;
+
+    # VPN ONLY
     allow 172.16.100.0/27;
-    allow 172.17.0.0/16;   # optional, internal Docker
+    allow 172.17.0.0/16;  # Docker bridge subnet
     deny all;
 
-    ##
-    ## PROMETHEUS
-    ##
     location /monitoring/prometheus/ {
         proxy_pass http://prometheus:9090;
         proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-Prefix /monitoring/prometheus;
         proxy_redirect off;
     }
 
-    ##
-    ## GRAFANA
-    ##
     location /monitoring/grafana/ {
         proxy_pass http://grafana:3000;
         proxy_set_header Host $host;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto https;
         proxy_set_header X-Forwarded-Prefix /monitoring/grafana;
         proxy_redirect off;
     }
-
-    ##
-    ## OPTIONAL: Debug Logging for IPs
-    ##
-    log_format vpn_full_ips '$remote_addr - $http_x_forwarded_for [$time_local] "$request" $status';
-    access_log /var/log/nginx/vpn_access.log vpn_full_ips;
 }
+
+
