# Rate limiting zones (before server block) limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=10r/m; # SEC-14: Registration endpoint — slightly more permissive than strict auth endpoints limit_req_zone $binary_remote_addr zone=register_limit:10m rate=5r/m; # Admin API — generous for legitimate use but still guards against scraping/brute-force limit_req_zone $binary_remote_addr zone=admin_limit:10m rate=30r/m; # Use X-Forwarded-Proto from upstream proxy when present, fall back to $scheme for direct access map $http_x_forwarded_proto $forwarded_proto { default $scheme; https https; http http; } server { listen 8080; server_name localhost; root /usr/share/nginx/html; index index.html; # Suppress nginx version in Server header server_tokens off; # Gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/javascript application/json; # Block dotfiles (except .well-known for ACME/Let's Encrypt) location ~ /\.(?!well-known) { return 404; } # Rate-limited auth endpoints (keep in sync with proxy-params.conf) location /api/auth/login { limit_req zone=auth_limit burst=5 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } location /api/auth/verify-password { limit_req zone=auth_limit burst=5 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } location /api/auth/totp-verify { limit_req zone=auth_limit burst=5 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } location /api/auth/change-password { limit_req zone=auth_limit burst=5 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } location /api/auth/setup { # Tighter burst: setup is one-time-only, 3 attempts is sufficient limit_req zone=auth_limit burst=3 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } # SEC-14: Rate-limit public registration endpoint location /api/auth/register { limit_req zone=register_limit burst=3 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } # Admin API — rate-limited separately from general /api traffic location /api/admin/ { limit_req zone=admin_limit burst=10 nodelay; limit_req_status 429; include /etc/nginx/proxy-params.conf; } # API proxy location /api { proxy_pass http://backend:8000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $forwarded_proto; proxy_cache_bypass $http_upgrade; } # SPA fallback - serve index.html for all routes location / { try_files $uri $uri/ /index.html; } # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 1y; add_header Cache-Control "public, immutable"; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';" always; } # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self';" always; }