Moved nginx config examples to here

BuddySirJava · BuddySirJava · commit 5cb9c3870af1 · 2025-08-03T13:10:59.000+03:30
diff --git a/nginx-configs/example.default.conf b/nginx-configs/example.default.conf
@@ -0,0 +1,119 @@
+# Rate limiting zones
+limit_req_zone $binary_remote_addr zone=one:10m rate=20r/s;
+limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
+limit_req_zone $binary_remote_addr zone=create:10m rate=5r/s;
+
+# Bot server IP whitelist (replace with your bot server's IP)
+geo $bot_server {
+    default 0;
+    # Add your bot server IP here
+    127.0.0.1 1;
+}
+
+server {
+    listen 443 ssl;
+    server_name example.com www.example.com;
+
+    ssl_certificate /etc/nginx/your-fullchain.pem;
+    ssl_certificate_key /etc/nginx/your-private-key.pem;
+
+    # Security headers
+    # Production CSP (strict)
+    add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://lottie.host https://*.lottie.host https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://cdnjs.cloudflare.com https://unpkg.com https://cdn.jsdelivr.net; font-src 'self' https://cdn.jsdelivr.net; img-src 'self' data: https:; media-src 'self' https:;" always;
+    
+    # Alternative CSP for development (more permissive)
+    # add_header Content-Security-Policy "default-src 'self' https:; connect-src 'self' https:; style-src 'self' 'unsafe-inline' https:; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https:; font-src 'self' https:; img-src 'self' data: https:; media-src 'self' https:;" always;
+    
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+
+    # Serve robots.txt directly
+    location = /robots.txt {
+        alias /static/robots.txt;
+        add_header Content-Type text/plain;
+    }
+
+    # Serve sitemap.xml directly
+    location = /sitemap.xml {
+        alias /static/sitemap.xml;
+        add_header Content-Type application/xml;
+    }
+
+    location /static/ {
+        alias /static/;
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        
+        # Ensure proper MIME types for JavaScript files
+        location ~* \.js$ {
+            add_header Content-Type "application/javascript";
+            add_header X-Content-Type-Options "nosniff";
+        }
+        
+        # Ensure proper MIME types for CSS files
+        location ~* \.css$ {
+            add_header Content-Type "text/css";
+            add_header X-Content-Type-Options "nosniff";
+        }
+        
+        # Handle other static file types
+        location ~* \.(png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+    }
+
+    # Rate limit for paste creation (more strict)
+    location ~ ^/create/?$ {
+        limit_req zone=create burst=8 nodelay;
+        proxy_pass http://web:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # API endpoints with bot whitelist - separate locations for different access methods
+    location ~ ^/api/ {
+        # Check for bot token header first
+        set $skip_rate_limit 0;
+        
+        if ($http_x_bot_token = "your-secret-token") {
+            set $skip_rate_limit 1;
+        }
+        
+        if ($bot_server = 1) {
+            set $skip_rate_limit 1;
+        }
+        
+        # Apply rate limiting only if not whitelisted
+        if ($skip_rate_limit = 0) {
+            limit_req zone=api burst=15 nodelay;
+        }
+        
+        proxy_pass http://web:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # General rate limiting for all other requests
+    location / {
+        limit_req zone=one burst=25 nodelay;
+        proxy_pass http://web:8000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
+
+# Redirect HTTP to HTTPS
+server {
+    listen 80;
+    server_name example.com www.example.com;
+    return 301 https://$host$request_uri;
+} 
diff --git a/nginx-configs/example.nginx.conf b/nginx-configs/example.nginx.conf
@@ -0,0 +1,28 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # Rate limiting zones (moved to default.conf)
+    # limit_req_zone $binary_remote_addr zone=one:10m rate=10r/m;
+
+    # Logging
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+    error_log /var/log/nginx/error.log;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/javascript application/xml+rss application/json;
+
+    # Include server configurations
+    include /etc/nginx/conf.d/*.conf;
+} 
