# # NODE1 Hardened Nginx Configuration v3 # Version: 3.0 # Last Updated: 2026-01-26 # # v3 Features: # - /health protected (allowlist + token) # - Auth-gate for /v1/* endpoints # - Nginx metrics endpoint for Prometheus # - Enhanced WAF rules # - Fail2ban integration ready # # === Rate Limit Zones === limit_req_zone $binary_remote_addr zone=api_per_ip:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=heavy_per_ip:10m rate=2r/s; limit_req_zone $binary_remote_addr zone=webhook_per_ip:10m rate=50r/s; limit_req_zone $binary_remote_addr zone=auth_fail:10m rate=5r/s; limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m; # === Auth token (change this!) === # Generate: openssl rand -hex 32 map $http_x_health_token $health_token_valid { default 0; "dg-health-2026-secret-change-me" 1; } # API Key validation map map $http_authorization $api_key_valid { default 0; "~^Bearer\s+sk-[a-zA-Z0-9]{32,}$" 1; } map $http_x_api_key $x_api_key_valid { default 0; "~^sk-[a-zA-Z0-9]{32,}$" 1; } # === Logging format (no auth headers, fail2ban ready) === log_format api_safe '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' 'rt=$request_time'; log_format fail2ban '$remote_addr - [$time_local] "$request" $status'; # === Upstream === upstream gateway_upstream { server 127.0.0.1:9300; keepalive 64; } # === HTTP → HTTPS redirect === server { listen 80; listen [::]:80; server_name gateway.daarion.city api.daarion.io 144.76.224.179 _; location /.well-known/acme-challenge/ { root /var/www/html; } location / { return 301 https://$host$request_uri; } } # === Main HTTPS Server === server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name gateway.daarion.city api.daarion.io 144.76.224.179; # === SSL Configuration === ssl_certificate /etc/letsencrypt/live/gateway.daarion.city/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/gateway.daarion.city/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers off; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # === Security Headers === add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self' wss: https:;" always; # === Logging === access_log /var/log/nginx/api-access.log api_safe; access_log /var/log/nginx/fail2ban.log fail2ban; error_log /var/log/nginx/api-error.log warn; # === WAF-lite: Block sensitive files === location ~* \.(env|git|sql|bak|swp|old|backup|log|ini|conf|config|yml|yaml|json|xml|db|sqlite|pem|key)$ { access_log /var/log/nginx/waf-blocks.log fail2ban; return 444; } location ~* ^/(\.git|\.svn|\.hg|\.env|wp-admin|wp-login|phpmyadmin|admin\.php|xmlrpc\.php|\.aws|\.docker) { access_log /var/log/nginx/waf-blocks.log fail2ban; return 444; } # Block SQL injection attempts if ($query_string ~* "(union|select|insert|drop|delete|update|truncate|exec|script|alert|eval|base64)") { return 403; } # Block suspicious user agents if ($http_user_agent ~* (sqlmap|nikto|nmap|masscan|zgrab|python-requests/2\.[0-9]+\.[0-9]+$)) { return 444; } # === Nginx metrics (internal only) === location = /nginx-status { stub_status on; allow 127.0.0.1; allow 10.42.0.0/16; # K8s pod network allow 10.43.0.0/16; # K8s service network deny all; } # === Health check (protected) === location = /health { # Allow localhost set $health_allowed 0; if ($remote_addr = "127.0.0.1") { set $health_allowed 1; } # Allow with valid token if ($health_token_valid = 1) { set $health_allowed 1; } # Allow internal networks (Prometheus, K8s) if ($remote_addr ~ "^(10\.(42|43)\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)") { set $health_allowed 1; } if ($health_allowed = 0) { return 401; } proxy_pass http://gateway_upstream/health; proxy_http_version 1.1; proxy_set_header Connection ""; } # === Public health (limited info) === location = /ping { default_type application/json; return 200 '{"status":"ok"}'; } # === Webhook endpoints (Telegram, etc.) - no auth === location ~ ^/(webhook|telegram|bot[0-9]+) { limit_req zone=webhook_per_ip burst=100 nodelay; limit_conn conn_per_ip 50; proxy_pass http://gateway_upstream; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 5s; proxy_send_timeout 30s; proxy_read_timeout 30s; client_max_body_size 10m; } # === API v1 endpoints (require auth) === location ~ ^/v1/ { # Check for valid API key set $auth_valid 0; if ($api_key_valid = 1) { set $auth_valid 1; } if ($x_api_key_valid = 1) { set $auth_valid 1; } # Allow internal networks (service-to-service) if ($remote_addr ~ "^(127\.0\.0\.1|10\.(42|43)\.|172\.(1[6-9]|2[0-9]|3[01])\.)") { set $auth_valid 1; } if ($auth_valid = 0) { access_log /var/log/nginx/auth-fails.log fail2ban; return 401 '{"error":"unauthorized","message":"Valid API key required"}'; } limit_req zone=heavy_per_ip burst=5 nodelay; limit_conn conn_per_ip 10; proxy_pass http://gateway_upstream; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 10s; proxy_send_timeout 300s; proxy_read_timeout 300s; client_max_body_size 100m; } # === Root / docs / public (rate limited) === location / { limit_req zone=api_per_ip burst=20 nodelay; limit_conn conn_per_ip 20; proxy_pass http://gateway_upstream; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_connect_timeout 5s; proxy_send_timeout 60s; proxy_read_timeout 60s; proxy_cache_bypass $http_upgrade; client_max_body_size 10m; } # === Error pages === error_page 401 = @unauthorized; location @unauthorized { default_type application/json; return 401 '{"error":"unauthorized","message":"Authentication required"}'; } error_page 429 = @rate_limited; location @rate_limited { default_type application/json; return 429 '{"error":"rate_limit_exceeded","message":"Too many requests","retry_after":1}'; } error_page 403 = @forbidden; location @forbidden { default_type application/json; return 403 '{"error":"forbidden","message":"Access denied"}'; } } # === WebSocket upgrade mapping === map $http_upgrade $connection_upgrade { default upgrade; '' close; } # === Admin Panel (localhost only) === server { listen 127.0.0.1:8080; server_name localhost; location /grafana/ { proxy_pass http://127.0.0.1:3030/; proxy_http_version 1.1; proxy_set_header Host $host; } location /prometheus/ { proxy_pass http://127.0.0.1:9090/; proxy_http_version 1.1; proxy_set_header Host $host; } location /nginx-metrics { stub_status on; } }