startup-starter/skybridge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
86900b0bd4ade0bc04379a81cac52a209dd97aca
skybridge/nginx/default.conf
Ryan Copley 86900b0bd4 sso
2025-08-26 19:15:37 -04:00

198 lines
5.9 KiB
Plaintext
Raw Blame History

server {
listen 80;
server_name localhost;
# Health check endpoint (direct response)
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# API endpoints with rate limiting
location /api/ {
# Apply rate limiting
limit_req zone=api burst=20 nodelay;
# Development mode: only user email header required
proxy_set_header X-User-Email "test@example.com";
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Proxy to API service
proxy_pass http://api-service:8080;
proxy_read_timeout 60s;
proxy_connect_timeout 10s;
proxy_send_timeout 60s;
# Handle proxy errors
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
}
# Login endpoints with stricter rate limiting
location ~ ^/api/(login|verify|renew) {
# Apply stricter rate limiting for auth endpoints
limit_req zone=login burst=5 nodelay;
# Development mode: only user email header required
proxy_set_header X-User-Email "test@example.com";
# Standard proxy headers
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Proxy to API service
proxy_pass http://api-service:8080;
proxy_read_timeout 60s;
proxy_connect_timeout 10s;
proxy_send_timeout 60s;
# Handle proxy errors
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
}
# Test endpoints (development only)
location /test/ {
proxy_pass http://api-service:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Metrics endpoint (for monitoring)
location /metrics {
# Only allow internal access
allow 127.0.0.1;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass http://api-service:9090/metrics;
}
# Default location - serve React frontend
location / {
proxy_pass http://frontend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Handle React Router (client-side routing)
proxy_intercept_errors on;
error_page 404 = @fallback;
}
# Fallback for React Router
location @fallback {
proxy_pass http://frontend:80;
proxy_set_header Host $host;
}
# Custom error pages
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /404.html {
internal;
return 404 '{"error": "Not Found", "message": "The requested resource was not found"}';
add_header Content-Type application/json;
}
location = /50x.html {
internal;
return 500 '{"error": "Internal Server Error", "message": "An internal error occurred"}';
add_header Content-Type application/json;
}
# Static assets - proxy to frontend with caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ {
proxy_pass http://frontend:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
expires 1y;
add_header Cache-Control "public, immutable";
}
# Block access to sensitive files
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(env|config|ini)$ {
deny all;
access_log off;
log_not_found off;
}
}
# Test configuration for different user scenarios
server {
listen 8081;
server_name localhost;
# Health check endpoint (direct response)
location /health {
access_log off;
return 200 "healthy\n";
add_header Content-Type text/plain;
}
# Test endpoints (development only)
location /test/ {
proxy_pass http://api-service:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Admin user for testing
location /api/ {
limit_req zone=api burst=50 nodelay;
# Development mode: admin test user
proxy_set_header X-User-Email "admin@example.com";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://api-service:8080;
}
}
server {
listen 8082;
server_name localhost;
# Limited user for testing
location /api/ {
limit_req zone=api burst=10 nodelay;
# Development mode: limited test user
proxy_set_header X-User-Email "limited@example.com";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://api-service:8080;
}
}
Reference in New Issue View Git Blame Copy Permalink