Cryptex/nginx.conf at main · polius/Cryptex · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Rate limiting zone (per-IP)
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=${RATE_LIMIT}r/m;

server {
    listen 80;
    server_tokens off;
    client_max_body_size 1m;

    # Settings page (must come before root location)
    location = /settings {
        alias /cryptex/web/settings.html;
        default_type text/html;
    }

    # Monitor dashboard page (must come before root location)
    location = /monitor {
        alias /cryptex/web/monitor.html;
        default_type text/html;
    }

    # Links page (must come before root location)
    location = /links {
        alias /cryptex/web/links.html;
        default_type text/html;
    }

    # Security page (must come before root location)
    location = /security {
        alias /cryptex/web/security.html;
        default_type text/html;
    }

    # Login page (must come before root location)
    location = /login {
        alias /cryptex/web/login.html;
        default_type text/html;
    }

    # Cryptex ID pattern (e.g. /abc-defg-hij) — served by index.html
    location ~ "^/[a-z]{3}-[a-z]{4}-[a-z]{3}$" {
        root /cryptex/web;
        try_files /index.html =404;
        default_type text/html;
    }

    # Frontend files
    location / {
        root /cryptex/web;
        index index.html;
        try_files $uri $uri/ =404;
    }

    # Custom 404 page
    error_page 404 /404.html;
    location = /404.html {
        root /cryptex/web;
        internal;
    }

    # Token-based direct file download (presigned URLs)
    location ~ ^/api/download/.+ {
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Connection "";

        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Multipart upload part endpoint (exempt from rate limiting)
    location ~ ^/api/create/file/ {
        client_max_body_size 0;
        proxy_request_buffering off;

        proxy_read_timeout 3600s;
        proxy_connect_timeout 60s;
        proxy_send_timeout 3600s;

        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Create endpoint (rate limited)
    location ~ ^/api/create {
        client_max_body_size 0;
        proxy_request_buffering off;

        limit_req zone=api_limit burst=5 nodelay;
        limit_req_status 429;

        proxy_read_timeout 3600s;
        proxy_connect_timeout 60s;
        proxy_send_timeout 3600s;

        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Open endpoint (rate limited to prevent brute-force)
    location = /api/open {
        limit_req zone=api_limit burst=5 nodelay;
        limit_req_status 429;

        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # General API endpoints
    location /api/ {
        proxy_pass http://localhost:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_min_length 1024;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json application/javascript;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Referrer-Policy "no-referrer" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; font-src 'self' https://cdn.jsdelivr.net; img-src 'self' data:; connect-src 'self' https://cdn.jsdelivr.net;" always;
}