From 326379ac3e69ee32e7d03ce0c3464e8e41d42aae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mauritz=20Skog=C3=B8y?= Date: Thu, 27 Mar 2025 16:22:14 +0100 Subject: [PATCH] Test: reconfig of nginx deployment --- .github/workflows/update_primary_nginx.yml | 40 ++++++++++++----- nginx.conf | 45 +++++++++++++++++-- nginx/nginx.conf | 52 +++++++++++++++++++++- 3 files changed, 122 insertions(+), 15 deletions(-) diff --git a/.github/workflows/update_primary_nginx.yml b/.github/workflows/update_primary_nginx.yml index 71dddd5..9a4b964 100644 --- a/.github/workflows/update_primary_nginx.yml +++ b/.github/workflows/update_primary_nginx.yml @@ -43,32 +43,52 @@ jobs: echo "PROD_PORT_PREFIX=$PROD_PORT_PREFIX" >> $GITHUB_ENV echo "GATEWAY_POSTFIX=$GATEWAY_POSTFIX" >> $GITHUB_ENV - - name: Backup existing configuration + - name: Backup existing configurations run: | if [ -f /etc/nginx/conf.d/nginx.conf ]; then sudo cp /etc/nginx/conf.d/nginx.conf /etc/nginx/conf.d/nginx.conf.backup - echo "Created backup of existing configuration" + echo "Created backup of existing nginx.conf" fi + if [ -f /etc/nginx/nginx.conf ]; then + sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.backup + echo "Created backup of existing main nginx.conf" + fi + + - name: Generate server nginx configuration + run: | + if [ ! -f nginx.conf ]; then + echo "Server nginx configuration template not found" + exit 1 + fi + envsubst '${DEV_PORT_PREFIX} ${PROD_PORT_PREFIX} ${STAG_PORT_PREFIX} ${GATEWAY_POSTFIX}' < nginx.conf > ./nginx_securefit.conf - - name: Replace environment variables in Nginx config + - name: Generate Docker nginx configuration run: | - if [ ! -f nginx_template.txt ]; then - echo "Nginx template file not found" + if [ ! -f nginx/nginx.conf ]; then + echo "Docker nginx configuration template not found" exit 1 fi - envsubst '${DEV_PORT_PREFIX} ${PROD_PORT_PREFIX} ${STAG_PORT_PREFIX} ${GATEWAY_POSTFIX}' < nginx_template.txt > ./nginx_securefit.conf + cp nginx/nginx.conf ./nginx_docker.conf - - name: Validate new configuration + - name: Validate configurations run: | if ! sudo nginx -t -c ./nginx_securefit.conf; then - echo "New nginx configuration is invalid" + echo "Server nginx configuration is invalid" + exit 1 + fi + if ! sudo nginx -t -c ./nginx_docker.conf; then + echo "Docker nginx configuration is invalid" exit 1 fi - - name: Copy configuration to nginx + - name: Copy configurations to nginx run: | sudo cp ./nginx_securefit.conf /etc/nginx/conf.d/nginx.conf || { - echo "Failed to copy new configuration" + echo "Failed to copy server configuration" + exit 1 + } + sudo cp ./nginx_docker.conf /etc/nginx/conf.d/nginx_docker.conf || { + echo "Failed to copy Docker configuration" exit 1 } diff --git a/nginx.conf b/nginx.conf index 2c23b85..1bd9b7f 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,33 +1,72 @@ +# Security headers +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; +add_header X-Content-Type-Options "nosniff" always; +add_header Referrer-Policy "no-referrer-when-downgrade" always; +add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; + +# Rate limiting +limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + server { listen 80; + server_name _; + + # Rate limiting + limit_req zone=one burst=10 nodelay; location / { - proxy_pass http://0.0.0.0:23/; + proxy_pass http://127.0.0.1:23/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } } server { listen 217; + server_name _; + + # Rate limiting + limit_req zone=one burst=10 nodelay; + location / { - proxy_pass http://0.0.0.0:21/; + proxy_pass http://127.0.0.1:21/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } } server { listen 227; + server_name _; + + # Rate limiting + limit_req zone=one burst=10 nodelay; + location / { - proxy_pass http://0.0.0.0:22/; + proxy_pass http://127.0.0.1:22/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } } diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 131034d..84328c1 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -1,16 +1,44 @@ user nginx; -worker_processes 1; +worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; - events { worker_connections 1024; } http { + # Basic Settings + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + # Security headers + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always; + + # Rate limiting + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + + # MIME Types + include /etc/nginx/mime.types; + default_type application/octet-stream; + + # Logging + access_log /var/log/nginx/access.log combined buffer=512k flush=1m; + server { listen 80; + server_name _; + + # Rate limiting + limit_req zone=one burst=10 nodelay; # Route to frontend location / { @@ -19,6 +47,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } # Route to backend @@ -28,6 +61,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } location /admin/ { @@ -36,6 +74,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } location /static/admin/ { @@ -44,6 +87,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; + + # Timeouts + proxy_connect_timeout 60s; + proxy_send_timeout 60s; + proxy_read_timeout 60s; } } } \ No newline at end of file