diff --git a/nginx/default.conf b/nginx/default.conf index 2c370f63d..77a026e8d 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -1,13 +1,32 @@ +# --- Cloudflare IP header forwarding --- +# map $http_cf_connecting_ip $client_real_ip { +# default $remote_addr; +# "~." $http_cf_connecting_ip; +# } + server { listen 80; - listen 443 ssl http2; - + listen 443 ssl; + http2 on; + # Remove Nginx version from response headers + server_tokens off; + + # TLS config + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce strong ciphers, might break older clients. Adjust as needed. + ssl_prefer_server_ciphers on; + + # TLS certificates + # Self-signed. Adjust as needed. ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; + # Route API traffic to backend - https://example.com/service/ -> http://backend:8000/ location /service/ { rewrite ^/service/(.*) /$1 break; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; @@ -24,28 +43,12 @@ server { proxy_busy_buffers_size 128k; } - location /kms/ { - rewrite ^/kms/(.*) /kms/$1 break; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - - proxy_pass http://backend:8000; - proxy_redirect off; - - proxy_cookie_path / "/; HttpOnly; SameSite=strict"; - - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } - + # Route traffic to frontend - https://example.com/ -> http://frontend:3000/ location / { include /etc/nginx/mime.types; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;