Test: reconfig of nginx deployment

mauritzs · Mar 27, 2025 · 326379a · 326379a
1 parent 09f6770
commit 326379a
Show file tree

Hide file tree

Showing 3 changed files with 122 additions and 15 deletions.
diff --git a/.github/workflows/update_primary_nginx.yml b/.github/workflows/update_primary_nginx.yml
@@ -43,32 +43,52 @@ jobs:
           echo "PROD_PORT_PREFIX=$PROD_PORT_PREFIX" >> $GITHUB_ENV
           echo "GATEWAY_POSTFIX=$GATEWAY_POSTFIX" >> $GITHUB_ENV
 
-      - name: Backup existing configuration
+      - name: Backup existing configurations
         run: |
           if [ -f /etc/nginx/conf.d/nginx.conf ]; then
             sudo cp /etc/nginx/conf.d/nginx.conf /etc/nginx/conf.d/nginx.conf.backup
-            echo "Created backup of existing configuration"
+            echo "Created backup of existing nginx.conf"
           fi
+          if [ -f /etc/nginx/nginx.conf ]; then
+            sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup
+            echo "Created backup of existing main nginx.conf"
+          fi
+
+      - name: Generate server nginx configuration
+        run: |
+          if [ ! -f nginx.conf ]; then
+            echo "Server nginx configuration template not found"
+            exit 1
+          fi
+          envsubst '${DEV_PORT_PREFIX} ${PROD_PORT_PREFIX} ${STAG_PORT_PREFIX} ${GATEWAY_POSTFIX}' < nginx.conf > ./nginx_securefit.conf
 
-      - name: Replace environment variables in Nginx config
+      - name: Generate Docker nginx configuration
         run: |
-          if [ ! -f nginx_template.txt ]; then
-            echo "Nginx template file not found"
+          if [ ! -f nginx/nginx.conf ]; then
+            echo "Docker nginx configuration template not found"
             exit 1
           fi
-          envsubst '${DEV_PORT_PREFIX} ${PROD_PORT_PREFIX} ${STAG_PORT_PREFIX} ${GATEWAY_POSTFIX}' < nginx_template.txt > ./nginx_securefit.conf
+          cp nginx/nginx.conf ./nginx_docker.conf
 
-      - name: Validate new configuration
+      - name: Validate configurations
         run: |
           if ! sudo nginx -t -c ./nginx_securefit.conf; then
-            echo "New nginx configuration is invalid"
+            echo "Server nginx configuration is invalid"
+            exit 1
+          fi
+          if ! sudo nginx -t -c ./nginx_docker.conf; then
+            echo "Docker nginx configuration is invalid"
             exit 1
           fi
 
-      - name: Copy configuration to nginx
+      - name: Copy configurations to nginx
         run: |
           sudo cp ./nginx_securefit.conf /etc/nginx/conf.d/nginx.conf || {
-            echo "Failed to copy new configuration"
+            echo "Failed to copy server configuration"
+            exit 1
+          }
+          sudo cp ./nginx_docker.conf /etc/nginx/conf.d/nginx_docker.conf || {
+            echo "Failed to copy Docker configuration"
             exit 1
           }
 

diff --git a/nginx.conf b/nginx.conf
@@ -1,33 +1,72 @@
+# Security headers
+add_header X-Frame-Options "SAMEORIGIN" always;
+add_header X-XSS-Protection "1; mode=block" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header Referrer-Policy "no-referrer-when-downgrade" always;
+add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+# Rate limiting
+limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+
 server {
         listen 80;
+        server_name _;
+
+        # Rate limiting
+        limit_req zone=one burst=10 nodelay;
 
         location / {
-                proxy_pass http://0.0.0.0:23/;
+                proxy_pass http://127.0.0.1:23/;
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
+
+                # Timeouts
+                proxy_connect_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_read_timeout 60s;
         }
 }
 
 server {
         listen 217;
+        server_name _;
+
+        # Rate limiting
+        limit_req zone=one burst=10 nodelay;
+
         location / {
-                proxy_pass http://0.0.0.0:21/;
+                proxy_pass http://127.0.0.1:21/;
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
+
+                # Timeouts
+                proxy_connect_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_read_timeout 60s;
         }
 }
 
 server {
         listen 227;
+        server_name _;
+
+        # Rate limiting
+        limit_req zone=one burst=10 nodelay;
+
         location / {
-                proxy_pass http://0.0.0.0:22/;
+                proxy_pass http://127.0.0.1:22/;
                 proxy_set_header Host $http_host;
                 proxy_set_header X-Real-IP $remote_addr;
                 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 proxy_set_header X-Forwarded-Proto $scheme;
+
+                # Timeouts
+                proxy_connect_timeout 60s;
+                proxy_send_timeout 60s;
+                proxy_read_timeout 60s;
         }
 }
diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -1,16 +1,44 @@
 user              nginx;
-worker_processes  1;
+worker_processes  auto;
 error_log         /var/log/nginx/error.log warn;
 pid               /var/run/nginx.pid;
 
-
 events {
     worker_connections 1024;
 }
 
 http {
+    # Basic Settings
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    # Security headers
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+
+    # Rate limiting
+    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
+
+    # MIME Types
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Logging
+    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
+
     server {
         listen 80;
+        server_name _;
+
+        # Rate limiting
+        limit_req zone=one burst=10 nodelay;
 
         # Route to frontend
         location / {
@@ -19,6 +47,11 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
         }
 
         # Route to backend
@@ -28,6 +61,11 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
         }
 
         location /admin/ {
@@ -36,6 +74,11 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
         }
 
         location /static/admin/ {
@@ -44,6 +87,11 @@ http {
             proxy_set_header X-Real-IP $remote_addr;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Forwarded-Proto $scheme;
+
+            # Timeouts
+            proxy_connect_timeout 60s;
+            proxy_send_timeout 60s;
+            proxy_read_timeout 60s;
         }
     }
 }