Timmy_Foundation/the-door
15
0
Fork 0
Code Issues 22 Pull Requests 13 Actions Packages Projects Releases Wiki Activity
Files
main
the-door/deploy/nginx.conf
Timmy Time fc818bea56
Some checks failed
Smoke Test / smoke (push) Has been cancelled
Details
feat(infra): VPS deployment infrastructure — Ansible, nginx, deploy script (closes #2) (#22)
2026-04-13 04:11:42 +00:00

169 lines
5.9 KiB
Nginx Configuration File
Raw Permalink Blame History

# The Door — nginx config for alexanderwhitestone.com
# Place at /etc/nginx/sites-available/the-door
#
# Crisis front door: single URL, no login, always open.
# Static files + reverse proxy to Hermes Gateway on :8644
#
# Deploy:
# cp nginx.conf /etc/nginx/sites-available/the-door
# ln -sf /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/
# rm -f /etc/nginx/sites-enabled/default
# nginx -t && systemctl reload nginx
# HTTP → HTTPS redirect
server {
listen 80;
listen [::]:80;
server_name alexanderwhitestone.com www.alexanderwhitestone.com;
# Allow certbot ACME challenge even without SSL
location /.well-known/acme-challenge/ {
root /var/www/html;
allow all;
}
location / {
return 301 https://$server_name$request_uri;
}
}
# Main HTTPS server
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name alexanderwhitestone.com www.alexanderwhitestone.com;
# ================================================================
# SSL Configuration
# ================================================================
ssl_certificate /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/alexanderwhitestone.com/privkey.pem;
# Modern SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
# ================================================================
# Site Root
# ================================================================
root /var/www/the-door;
index index.html;
# ================================================================
# Compression
# ================================================================
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
text/plain
text/css
text/javascript
application/javascript
application/json
application/manifest+json
image/svg+xml;
# ================================================================
# Static files — the crisis front door
# ================================================================
location / {
try_files $uri $uri/ /index.html;
# Security headers
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src 'self' data:;" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# Cache static assets
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 7d;
add_header Cache-Control "public, immutable";
add_header X-Content-Type-Options "nosniff" always;
}
}
# ================================================================
# API proxy — /api/* → Hermes Gateway :8644
# ================================================================
location /api/ {
proxy_pass http://127.0.0.1:8644/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# CORS — allow alexanderwhitestone.com origins
set $cors_origin "";
if ($http_origin ~* "^https://(www\.)?alexanderwhitestone\.com$") {
set $cors_origin $http_origin;
}
add_header Access-Control-Allow-Origin "$cors_origin" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
add_header Access-Control-Allow-Credentials "true" always;
# Handle OPTIONS preflight
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "$cors_origin";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Max-Age 86400;
return 204;
}
# SSE streaming support
proxy_set_header Connection '';
proxy_buffering off;
proxy_cache off;
chunked_transfer_encoding on;
proxy_read_timeout 300s;
# Rate limiting — 10 req/min per IP, burst of 5
# Zone defined in nginx http block — see deploy/rate-limit.conf
limit_req zone=the_door_api burst=5 nodelay;
limit_req_status 429;
}
# ================================================================
# Health check — passthrough to Hermes
# ================================================================
location = /health {
proxy_pass http://127.0.0.1:8644/health;
proxy_http_version 1.1;
access_log off;
}
# ================================================================
# Block dotfiles (except .well-known)
# ================================================================
location ~ /\.(?!well-known) {
deny all;
return 404;
}
}
Reference in New Issue View Git Blame Copy Permalink