boris/keywarden
1
1
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Ephemeral keys for xterm.js. Initial rework of audit logging. All endpoints now return a 401 regardless of presence if not logged in.

Browse Source
This commit is contained in:
George Wilkinson
2026-02-03 08:26:37 +00:00
parent 3e17d6412c
commit 667b02f0c3
28 changed files with 1546 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
nginx/configs/nginx.conf
View File

@@ -33,6 +33,21 @@ http {
default $http_x_forwarded_for;
}
# Basic connection and request shaping to reduce abusive traffic.
limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
limit_req_zone $binary_remote_addr zone=perip_req:10m rate=20r/s;
map $request_uri $is_api_like {
default 0;
~^/api/ 1;
}
client_body_timeout 15s;
client_header_timeout 15s;
send_timeout 30s;
keepalive_timeout 30s;
large_client_header_buffers 4 16k;
server {
listen 80 default_server;
listen [::]:80 default_server;
@@ -52,15 +67,45 @@ http {
include options-https-headers.conf;
client_max_body_size 50M;
limit_conn perip_conn 30;
limit_req zone=perip_req burst=40 nodelay;
# Never serve hidden files or common secret/config artifacts.
location ~ /\.(?!well-known) {
return 404;
}
location ~* /(\\.git|\\.env|composer\\.(json|lock)|package(-lock)?\\.json|yarn\\.lock)$ {
return 404;
}
location / {
proxy_intercept_errors on;
error_page 404 = @masked_404;
error_page 401 = @masked_401;
proxy_pass http://127.0.0.1:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "";
proxy_set_header X-Forwarded-Host $host;
include options-https-headers.conf;
}
location @masked_404 {
if ($is_api_like) {
return 401;
}
return 302 /;
}
location @masked_401 {
if ($is_api_like) {
return 404;
}
return 302 /;
}
}
access_log /var/log/nginx/access.log main;