keywarden/nginx/configs/nginx.conf.template

# This file should be put under /etc/nginx/conf.d/
# Or place as /etc/nginx/nginx.conf

user nginx;
worker_processes auto;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
    set_real_ip_from 127.0.0.1;
    set_real_ip_from ::1;
    set_real_ip_from 10.0.0.0/8;
    set_real_ip_from 172.16.0.0/12;
    set_real_ip_from 192.168.0.0/16;
    include       /etc/nginx/mime.types;
    include options-ssl.conf;
    include options-http-headers.conf;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    map $http_x_forwarded_for $forwarded_for {
        ""      $remote_addr;
        default $http_x_forwarded_for;
    }

    # Basic connection and request shaping to reduce abusive traffic.
    limit_conn_zone $binary_remote_addr zone=perip_conn:10m;
    limit_req_zone $binary_remote_addr zone=perip_req:10m rate=20r/s;

    map $request_uri $is_api_like {
        default 0;
        ~^/api/ 1;
    }

    client_body_timeout 15s;
    client_header_timeout 15s;
    send_timeout 30s;
    keepalive_timeout 30s;
    large_client_header_buffers 4 16k;

    server {
        listen 80;
        listen [::]:80;
        server_name __SERVER_NAME__;
        return 301 https://$host$request_uri;
    }

    server {
        listen 443 ssl;
        listen [::]:443 ssl;
        http2 on;
        server_name __SERVER_NAME__;

        error_log /var/log/nginx/error.log warn;
        access_log  /var/log/nginx/access.log main;

        ssl_certificate /etc/nginx/certs/certificate.pem;
        ssl_certificate_key /etc/nginx/certs/key.pem;
        include options-ssl.conf;
        include options-https-headers.conf;

        client_max_body_size 50M;
        limit_conn perip_conn 30;
        limit_req zone=perip_req burst=40 nodelay;

        # Never serve hidden files or common secret/config artifacts.
        location ~ /\.(?!well-known) {
            return 404;
        }

        location ~* /(\\.git|\\.env|composer\\.(json|lock)|package(-lock)?\\.json|yarn\\.lock)$ {
            return 404;
        }

        location /ws/ {
            proxy_pass  http://127.0.0.1:8001;
            include options-https-headers.conf;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $forwarded_for;
            proxy_set_header X-Forwarded-Proto  $scheme;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_read_timeout 1h;
        }

        location / {
            proxy_intercept_errors on;
            error_page 404 = @masked_404;
            error_page 401 = @masked_401;
            proxy_pass  http://127.0.0.1:8000;
            include options-https-headers.conf;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $forwarded_for;
            proxy_set_header X-Forwarded-Proto  $scheme;
            proxy_set_header X-Forwarded-Host $host;
            proxy_read_timeout 1h;
            }

        # I don't like this, but it confuses probes and crawlers if public facing.
        location @masked_404 {
            if ($is_api_like) {
                return 401;
            }
            return 302 /;
        }

        location @masked_401 {
            if ($is_api_like) {
                return 401;
            }
            return 302 /;
        }
    }

    access_log  /var/log/nginx/access.log main;
    types_hash_bucket_size 128;
}