From c309123147aaa394586e1d3a24320f26cb948a96 Mon Sep 17 00:00:00 2001 From: Nimish Date: Tue, 11 Nov 2025 13:13:07 +0530 Subject: [PATCH 1/4] chore: removed the /kms unused path --- nginx/default.conf | 20 +------------------- 1 file changed, 1 insertion(+), 19 deletions(-) diff --git a/nginx/default.conf b/nginx/default.conf index 2c370f63d..f6050e5c0 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -24,25 +24,7 @@ server { proxy_busy_buffers_size 128k; } - location /kms/ { - rewrite ^/kms/(.*) /kms/$1 break; - - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; - - proxy_pass http://backend:8000; - proxy_redirect off; - - proxy_cookie_path / "/; HttpOnly; SameSite=strict"; - - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } - + # Route traffic to frontend - https://example.com/ -> http://frontend:3000/ location / { include /etc/nginx/mime.types; From 45399440a936f8d12afc4a1c35d42d812e5beaef Mon Sep 17 00:00:00 2001 From: Nimish Date: Tue, 11 Nov 2025 13:15:19 +0530 Subject: [PATCH 2/4] feat: misc changes - hardened cipher suites - strip nginx version from sever response header - fix: http deprecated directive - added: cloudflare ip forwarding scaffolding - documented routing structure --- nginx/default.conf | 91 +++++++++++++++++++++++++++++----------------- 1 file changed, 57 insertions(+), 34 deletions(-) diff --git a/nginx/default.conf b/nginx/default.conf index f6050e5c0..b97708201 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -1,47 +1,70 @@ -server { - listen 80; - listen 443 ssl http2; +# --- Cloudflare IP header forwarding --- +# map $http_cf_connecting_ip $client_real_ip { +# default $remote_addr; +# "~." $http_cf_connecting_ip; +# } - ssl_certificate /etc/nginx/ssl/nginx.crt; - ssl_certificate_key /etc/nginx/ssl/nginx.key; - - location /service/ { - rewrite ^/service/(.*) /$1 break; +http { + server { + listen 80; + listen 443 ssl; + http2 on; + # Remove Nginx version from response headers + server_tokens off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # TLS config + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce string ciphers, might break older clients. Adjust as needed. + ssl_prefer_server_ciphers on; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; + # TLS certificates + # Self-signed. Adjust as needed. + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; + + # Route API traffic to backend - https://example.com/service/ -> http://backend:8000/ + location /service/ { + rewrite ^/service/(.*) /$1 break; - proxy_pass http://backend:8000; - proxy_redirect off; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_cookie_path / "/; HttpOnly; SameSite=strict"; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } - + proxy_pass http://backend:8000; + proxy_redirect off; + + proxy_cookie_path / "/; HttpOnly; SameSite=strict"; + + proxy_buffers 16 32k; + proxy_buffer_size 64k; + proxy_busy_buffers_size 128k; + } + # Route traffic to frontend - https://example.com/ -> http://frontend:3000/ - location / { - include /etc/nginx/mime.types; + location / { + include /etc/nginx/mime.types; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; - proxy_pass http://frontend:3000; - proxy_redirect off; + proxy_pass http://frontend:3000; + proxy_redirect off; - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } + proxy_buffers 16 32k; + proxy_buffer_size 64k; + proxy_busy_buffers_size 128k; + } + } } From 2d5775bc1628ab4eea114af6183fb95c7ab2367c Mon Sep 17 00:00:00 2001 From: Nimish Date: Tue, 11 Nov 2025 13:29:39 +0530 Subject: [PATCH 3/4] refactor: clean up nginx configuration - Consolidated server block for improved readability - Maintained existing TLS and proxy settings - Ensured proper routing for API and frontend traffic --- nginx/default.conf | 100 ++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 51 deletions(-) diff --git a/nginx/default.conf b/nginx/default.conf index b97708201..60c5026ac 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -4,67 +4,65 @@ # "~." $http_cf_connecting_ip; # } -http { - server { - listen 80; - listen 443 ssl; - http2 on; - # Remove Nginx version from response headers - server_tokens off; +server { + listen 80; + listen 443 ssl; + http2 on; + # Remove Nginx version from response headers + server_tokens off; - # TLS config - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce string ciphers, might break older clients. Adjust as needed. - ssl_prefer_server_ciphers on; + # TLS config + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce string ciphers, might break older clients. Adjust as needed. + ssl_prefer_server_ciphers on; - # TLS certificates - # Self-signed. Adjust as needed. - ssl_certificate /etc/nginx/ssl/nginx.crt; - ssl_certificate_key /etc/nginx/ssl/nginx.key; - - # Route API traffic to backend - https://example.com/service/ -> http://backend:8000/ - location /service/ { - rewrite ^/service/(.*) /$1 break; + # TLS certificates + # Self-signed. Adjust as needed. + ssl_certificate /etc/nginx/ssl/nginx.crt; + ssl_certificate_key /etc/nginx/ssl/nginx.key; + + # Route API traffic to backend - https://example.com/service/ -> http://backend:8000/ + location /service/ { + rewrite ^/service/(.*) /$1 break; - # If using Cloudflare - use this to forward the real client IP - # proxy_set_header X-Real-IP $client_real_ip; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; - proxy_pass http://backend:8000; - proxy_redirect off; + proxy_pass http://backend:8000; + proxy_redirect off; - proxy_cookie_path / "/; HttpOnly; SameSite=strict"; + proxy_cookie_path / "/; HttpOnly; SameSite=strict"; - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } - - # Route traffic to frontend - https://example.com/ -> http://frontend:3000/ - location / { - include /etc/nginx/mime.types; + proxy_buffers 16 32k; + proxy_buffer_size 64k; + proxy_busy_buffers_size 128k; + } + + # Route traffic to frontend - https://example.com/ -> http://frontend:3000/ + location / { + include /etc/nginx/mime.types; - # If using Cloudflare - use this to forward the real client IP - # proxy_set_header X-Real-IP $client_real_ip; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # If using Cloudflare - use this to forward the real client IP + # proxy_set_header X-Real-IP $client_real_ip; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_set_header X-NginX-Proxy true; + proxy_set_header Host $http_host; + proxy_set_header X-NginX-Proxy true; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; - proxy_pass http://frontend:3000; - proxy_redirect off; + proxy_pass http://frontend:3000; + proxy_redirect off; - proxy_buffers 16 32k; - proxy_buffer_size 64k; - proxy_busy_buffers_size 128k; - } - } + proxy_buffers 16 32k; + proxy_buffer_size 64k; + proxy_busy_buffers_size 128k; + } } From 3234ec61e6be87d708a515ec082cf5e8347e032a Mon Sep 17 00:00:00 2001 From: Nimish <85357445+nimish-ks@users.noreply.github.com> Date: Tue, 11 Nov 2025 18:29:41 +0530 Subject: [PATCH 4/4] Update nginx/default.conf Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- nginx/default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx/default.conf b/nginx/default.conf index 60c5026ac..77a026e8d 100644 --- a/nginx/default.conf +++ b/nginx/default.conf @@ -13,7 +13,7 @@ server { # TLS config ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce string ciphers, might break older clients. Adjust as needed. + ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20; # Enforce strong ciphers, might break older clients. Adjust as needed. ssl_prefer_server_ciphers on; # TLS certificates