# Rate limiting zones limit_req_zone $binary_remote_addr zone=auth_limit:10m rate=5r/s; limit_req_zone $binary_remote_addr zone=api_limit:10m rate=20r/s; limit_req_status 429; server { listen 8080; server_name localhost; root /usr/share/nginx/html; index index.html index.htm; # Security Headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; # Note: Add Strict-Transport-Security when serving over HTTPS # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Content Security Policy - adjust as needed for your application add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' https://api.qrserver.com; frame-ancestors 'self';" always; # Prevent caching of index.html to ensure fresh JS/CSS references location = /index.html { add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; add_header Expires "0"; # Security headers (must be repeated in location blocks) add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https: blob:; font-src 'self' data:; connect-src 'self' https://api.qrserver.com; frame-ancestors 'self';" always; } # Cache static assets (they have content hashes in filenames) location /assets/ { add_header Cache-Control "public, max-age=31536000, immutable"; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; } # Serve markdown files with correct MIME type location ~* \.md$ { types { text/plain md; } add_header Content-Type text/plain; add_header Access-Control-Allow-Origin *; } # Auth Service API proxy (stricter rate limit for auth endpoints) location /api/auth/ { limit_req zone=auth_limit burst=10 nodelay; proxy_pass http://auth-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Work Management Service API proxy location /api/work/ { limit_req zone=api_limit burst=30 nodelay; proxy_pass http://work-management-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Payment Service API proxy location /api/payment/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://payment-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Blog Service API proxy location /api/blog/ { limit_req zone=api_limit burst=50 nodelay; proxy_pass http://blog-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # IPFS Service API proxy location /api/ipfs/ { limit_req zone=api_limit burst=30 nodelay; proxy_pass http://ipfs-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # Increase timeouts for IPFS operations proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Forum Service API proxy location /api/forum/ { limit_req zone=api_limit burst=50 nodelay; proxy_pass http://forum-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Contact Service API proxy location /api/contact/ { limit_req zone=api_limit burst=10 nodelay; proxy_pass http://contact-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # LLM Service API proxy location /api/llm/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://llm-service:8080/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Cache hashed assets (immutable - hashes change on content change) location ~* \.(?:css|js)$ { expires 1y; add_header Cache-Control "public, immutable"; try_files $uri =404; } # Don't cache HTML and service worker location ~* (?:index\.html|service-worker\.js)$ { expires -1; add_header Cache-Control "no-cache, no-store, must-revalidate"; add_header Pragma "no-cache"; try_files $uri =404; } location / { try_files $uri $uri/ /index.html; } # Optional: Gzip compression gzip on; gzip_vary on; gzip_min_length 1000; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss text/javascript text/markdown; }