connectivity

7.6 KB•J2

nginx-proxy-custom.conf.j2

7.6 KB • 245 lines • plaintext

1# ==============================================================================
2# Nginx Proxy Manager Custom Configuration
3# ==============================================================================
4#
5# Description: Custom Nginx configuration snippets for Proxy Manager
6# Generated by Ansible - DO NOT EDIT MANUALLY
7# Template: nginx-proxy-custom.conf.j2
8#
9# Place this file in: {{ docker_base_path }}/nginx-proxy/data/nginx/custom/
10# It will be automatically included by Nginx Proxy Manager
11#
12# ==============================================================================
13
14# ========================================================================
15# GLOBAL CUSTOM CONFIGURATION
16# ========================================================================
17
18# Custom error pages
19error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 /error.html;
20
21# Enhanced logging format
22log_format main '$remote_addr - $remote_user [$time_local] "$request" '
23                '$status $body_bytes_sent "$http_referer" '
24                '"$http_user_agent" "$http_x_forwarded_for" '
25                '$request_time $upstream_response_time $pipe';
26
27# ========================================================================
28# SECURITY HEADERS
29# ========================================================================
30
31# Security headers configuration
32{% if security_headers_enabled %}
33add_header X-Frame-Options "SAMEORIGIN" always;
34add_header X-Content-Type-Options "nosniff" always;
35add_header X-XSS-Protection "1; mode=block" always;
36add_header Referrer-Policy "strict-origin-when-cross-origin" always;
37add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
38
39# HSTS header
40add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains{% if hsts_max_age > 31536000 %}; preload{% endif %}" always;
41{% endif %}
42
43# ========================================================================
44# PERFORMANCE OPTIMIZATIONS
45# ========================================================================
46
47# TCP optimizations
48tcp_nopush on;
49tcp_nodelay on;
50
51# File handle optimizations
52open_file_cache max=10000 inactive=30s;
53open_file_cache_valid 60s;
54open_file_cache_min_uses 2;
55open_file_cache_errors on;
56
57# Gzip compression
58gzip on;
59gzip_vary on;
60gzip_proxied any;
61gzip_comp_level 6;
62gzip_types
63    text/plain
64    text/css
65    text/xml
66    text/javascript
67    application/json
68    application/javascript
69    application/xml+rss
70    application/atom+xml
71    image/svg+xml;
72
73# ========================================================================
74# RATE LIMITING
75# ========================================================================
76
77# Rate limiting for abuse protection
78limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
79limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m;
80
81# ========================================================================
82# CUSTOM ERROR PAGES
83# ========================================================================
84
85# Custom error page location
86location = /error.html {
87    internal;
88    root /data/nginx/custom;
89    try_files $uri /error-default.html;
90}
91
92# ========================================================================
93# HEALTH CHECKS
94# ========================================================================
95
96# Health check endpoint
97location /health {
98    access_log off;
99    return 200 "healthy\n";
100    add_header Content-Type text/plain;
101}
102
103# ========================================================================
104# SECURITY RESTRICTIONS
105# ========================================================================
106
107# Block common exploit paths
108location ~* /\.(?!well-known) {
109    deny all;
110    access_log off;
111    log_not_found off;
112}
113
114# Block sensitive files
115location ~* (wp-config\.php|error_log|debug_log|\.env|\.git|\.svn) {
116    deny all;
117    access_log off;
118    log_not_found off;
119}
120
121# ========================================================================
122# CUSTOM PROXY SETTINGS
123# ========================================================================
124
125# Enhanced proxy settings
126proxy_http_version 1.1;
127proxy_set_header Connection "";
128proxy_set_header Host $host;
129proxy_set_header X-Real-IP $remote_addr;
130proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
131proxy_set_header X-Forwarded-Proto $scheme;
132proxy_set_header X-Forwarded-Host $host;
133proxy_set_header X-Forwarded-Port $server_port;
134
135# Proxy timeouts
136proxy_connect_timeout 30s;
137proxy_send_timeout 30s;
138proxy_read_timeout 30s;
139
140# Proxy buffering
141proxy_buffering on;
142proxy_buffer_size 4k;
143proxy_buffers 8 4k;
144proxy_busy_buffers_size 8k;
145
146# ========================================================================
147# CUSTOM CACHE SETTINGS
148# ========================================================================
149
150# Proxy cache settings
151proxy_cache_path /data/cache levels=1:2 keys_zone=proxy_cache:10m max_size=1g;
152proxy_cache_key "$scheme$request_method$host$request_uri";
153proxy_cache_valid 200 302 10m;
154proxy_cache_valid 404 1m;
155proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
156
157# ========================================================================
158# SSL/TLS ENHANCEMENTS
159# ========================================================================
160
161# SSL session cache
162ssl_session_cache shared:SSL:10m;
163ssl_session_timeout 10m;
164ssl_session_tickets off;
165
166# SSL stapling
167ssl_stapling on;
168ssl_stapling_verify on;
169
170# SSL protocols and ciphers
171ssl_protocols TLSv1.2 TLSv1.3;
172ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
173ssl_prefer_server_ciphers off;
174
175# ========================================================================
176# CUSTOM LOCATION BLOCKS
177# ========================================================================
178
179# Block common vulnerability scanners
180location ~* (nmap|nikto|wpscan|sqlmap) {
181    deny all;
182    return 444;
183}
184
185# Block bad user agents
186if ($http_user_agent ~* (wget|curl|libwww-perl|python|nikto|sqlmap|nmap|nessus|acunetix|paros|webalizer)) {
187    return 444;
188}
189
190# ========================================================================
191# MAINTENANCE MODE
192# ========================================================================
193
194# Maintenance mode location
195location /maintenance.html {
196    internal;
197    root /data/nginx/custom;
198}
199
200# Maintenance mode error page
201error_page 503 @maintenance;
202location @maintenance {
203    if (-f /data/nginx/custom/maintenance.html) {
204        return 503;
205    }
206    return 404;
207}
208
209# ========================================================================
210# CUSTOM METRICS AND MONITORING
211# ========================================================================
212
213# Prometheus metrics endpoint
214location /metrics {
215    access_log off;
216    allow 127.0.0.1;
217    allow ::1;
218    allow 10.0.0.0/8;
219    allow 172.16.0.0/12;
220    allow 192.168.0.0/16;
221    deny all;
222    
223    stub_status on;
224}
225
226# ========================================================================
227# CUSTOM REWRITE RULES
228# ========================================================================
229
230# Common rewrite rules
231location ~* "^/(wp-admin|wp-login)" {
232    # WordPress admin protection
233    auth_basic "Restricted Access";
234    auth_basic_user_file /data/nginx/custom/.htpasswd;
235}
236
237# API versioning rewrite
238location ~* "^/api/v([0-9]+)/(.*)" {
239    # API version routing
240    rewrite "^/api/v([0-9]+)/(.*)" /api/$2?version=$1 break;
241}
242
243# ==============================================================================
244# END OF CUSTOM NGINX CONFIGURATION
245# ==============================================================================

1# ============================================================================== 2# Nginx Proxy Manager Custom Configuration 3# ============================================================================== 4# 5# Description: Custom Nginx configuration snippets for Proxy Manager 6# Generated by Ansible - DO NOT EDIT MANUALLY 7# Template: nginx-proxy-custom.conf.j2 8# 9# Place this file in: {{ docker_base_path }}/nginx-proxy/data/nginx/custom/ 10# It will be automatically included by Nginx Proxy Manager 11# 12# ============================================================================== 13 14# ======================================================================== 15# GLOBAL CUSTOM CONFIGURATION 16# ======================================================================== 17 18# Custom error pages 19error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 /error.html; 20 21# Enhanced logging format 22log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 23 '$status $body_bytes_sent "$http_referer" ' 24 '"$http_user_agent" "$http_x_forwarded_for" ' 25 '$request_time $upstream_response_time $pipe'; 26 27# ======================================================================== 28# SECURITY HEADERS 29# ======================================================================== 30 31# Security headers configuration 32{% if security_headers_enabled %} 33add_header X-Frame-Options "SAMEORIGIN" always; 34add_header X-Content-Type-Options "nosniff" always; 35add_header X-XSS-Protection "1; mode=block" always; 36add_header Referrer-Policy "strict-origin-when-cross-origin" always; 37add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; 38 39# HSTS header 40add_header Strict-Transport-Security "max-age={{ hsts_max_age }}; includeSubDomains{% if hsts_max_age > 31536000 %}; preload{% endif %}" always; 41{% endif %} 42 43# ======================================================================== 44# PERFORMANCE OPTIMIZATIONS 45# ======================================================================== 46 47# TCP optimizations 48tcp_nopush on; 49tcp_nodelay on; 50 51# File handle optimizations 52open_file_cache max=10000 inactive=30s; 53open_file_cache_valid 60s; 54open_file_cache_min_uses 2; 55open_file_cache_errors on; 56 57# Gzip compression 58gzip on; 59gzip_vary on; 60gzip_proxied any; 61gzip_comp_level 6; 62gzip_types 63 text/plain 64 text/css 65 text/xml 66 text/javascript 67 application/json 68 application/javascript 69 application/xml+rss 70 application/atom+xml 71 image/svg+xml; 72 73# ======================================================================== 74# RATE LIMITING 75# ======================================================================== 76 77# Rate limiting for abuse protection 78limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; 79limit_req_zone $binary_remote_addr zone=auth:10m rate=5r/m; 80 81# ======================================================================== 82# CUSTOM ERROR PAGES 83# ======================================================================== 84 85# Custom error page location 86location = /error.html { 87 internal; 88 root /data/nginx/custom; 89 try_files $uri /error-default.html; 90} 91 92# ======================================================================== 93# HEALTH CHECKS 94# ======================================================================== 95 96# Health check endpoint 97location /health { 98 access_log off; 99 return 200 "healthy\n"; 100 add_header Content-Type text/plain; 101} 102 103# ======================================================================== 104# SECURITY RESTRICTIONS 105# ======================================================================== 106 107# Block common exploit paths 108location ~* /\.(?!well-known) { 109 deny all; 110 access_log off; 111 log_not_found off; 112} 113 114# Block sensitive files 115location ~* (wp-config\.php|error_log|debug_log|\.env|\.git|\.svn) { 116 deny all; 117 access_log off; 118 log_not_found off; 119} 120 121# ======================================================================== 122# CUSTOM PROXY SETTINGS 123# ======================================================================== 124 125# Enhanced proxy settings 126proxy_http_version 1.1; 127proxy_set_header Connection ""; 128proxy_set_header Host $host; 129proxy_set_header X-Real-IP $remote_addr; 130proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 131proxy_set_header X-Forwarded-Proto $scheme; 132proxy_set_header X-Forwarded-Host $host; 133proxy_set_header X-Forwarded-Port $server_port; 134 135# Proxy timeouts 136proxy_connect_timeout 30s; 137proxy_send_timeout 30s; 138proxy_read_timeout 30s; 139 140# Proxy buffering 141proxy_buffering on; 142proxy_buffer_size 4k; 143proxy_buffers 8 4k; 144proxy_busy_buffers_size 8k; 145 146# ======================================================================== 147# CUSTOM CACHE SETTINGS 148# ======================================================================== 149 150# Proxy cache settings 151proxy_cache_path /data/cache levels=1:2 keys_zone=proxy_cache:10m max_size=1g; 152proxy_cache_key "$scheme$request_method$host$request_uri"; 153proxy_cache_valid 200 302 10m; 154proxy_cache_valid 404 1m; 155proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504; 156 157# ======================================================================== 158# SSL/TLS ENHANCEMENTS 159# ======================================================================== 160 161# SSL session cache 162ssl_session_cache shared:SSL:10m; 163ssl_session_timeout 10m; 164ssl_session_tickets off; 165 166# SSL stapling 167ssl_stapling on; 168ssl_stapling_verify on; 169 170# SSL protocols and ciphers 171ssl_protocols TLSv1.2 TLSv1.3; 172ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; 173ssl_prefer_server_ciphers off; 174 175# ======================================================================== 176# CUSTOM LOCATION BLOCKS 177# ======================================================================== 178 179# Block common vulnerability scanners 180location ~* (nmap|nikto|wpscan|sqlmap) { 181 deny all; 182 return 444; 183} 184 185# Block bad user agents 186if ($http_user_agent ~* (wget|curl|libwww-perl|python|nikto|sqlmap|nmap|nessus|acunetix|paros|webalizer)) { 187 return 444; 188} 189 190# ======================================================================== 191# MAINTENANCE MODE 192# ======================================================================== 193 194# Maintenance mode location 195location /maintenance.html { 196 internal; 197 root /data/nginx/custom; 198} 199 200# Maintenance mode error page 201error_page 503 @maintenance; 202location @maintenance { 203 if (-f /data/nginx/custom/maintenance.html) { 204 return 503; 205 } 206 return 404; 207} 208 209# ======================================================================== 210# CUSTOM METRICS AND MONITORING 211# ======================================================================== 212 213# Prometheus metrics endpoint 214location /metrics { 215 access_log off; 216 allow 127.0.0.1; 217 allow ::1; 218 allow 10.0.0.0/8; 219 allow 172.16.0.0/12; 220 allow 192.168.0.0/16; 221 deny all; 222 223 stub_status on; 224} 225 226# ======================================================================== 227# CUSTOM REWRITE RULES 228# ======================================================================== 229 230# Common rewrite rules 231location ~* "^/(wp-admin|wp-login)" { 232 # WordPress admin protection 233 auth_basic "Restricted Access"; 234 auth_basic_user_file /data/nginx/custom/.htpasswd; 235} 236 237# API versioning rewrite 238location ~* "^/api/v([0-9]+)/(.*)" { 239 # API version routing 240 rewrite "^/api/v([0-9]+)/(.*)" /api/$2?version=$1 break; 241} 242 243# ============================================================================== 244# END OF CUSTOM NGINX CONFIGURATION 245# ==============================================================================