upstream liberdiscovery_api { server liberdiscovery-api:8080; keepalive 32; } upstream zabbix_web { server zabbix-web:8080; } # Rate limiting zones limit_req_zone $binary_remote_addr zone=api:10m rate=30r/s; limit_req_zone $binary_remote_addr zone=discovery:10m rate=2r/m; server { listen 80; server_name _; # Redirect to HTTPS in production # return 301 https://$host$request_uri; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Gzip compression gzip on; gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml; gzip_min_length 1000; gzip_comp_level 6; # ─── React Frontend (SPA) ───────────────────────────────────────── location / { root /usr/share/nginx/html; index index.html; try_files $uri $uri/ /index.html; # Cache static assets location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ { expires 30d; add_header Cache-Control "public, immutable"; } } # ─── LiberDiscovery Go API ────────────────────────────────────────────── location /api/ { limit_req zone=api burst=50 nodelay; proxy_pass http://liberdiscovery_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_connect_timeout 60s; # CORS headers (also set in Go, but belt+suspenders) add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept, Authorization" always; if ($request_method = OPTIONS) { return 204; } } # ─── Discovery endpoint (stricter rate limit) ───────────────────── location /api/v1/discovery/scan { limit_req zone=discovery burst=3 nodelay; proxy_pass http://liberdiscovery_api; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_read_timeout 600s; } # ─── WebSocket ──────────────────────────────────────────────────── location /ws { proxy_pass http://liberdiscovery_api; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 86400s; proxy_send_timeout 86400s; } # ─── Zabbix Frontend ────────────────────────────────────────────── location /zabbix/ { proxy_pass http://zabbix_web/; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # ─── Health check for load balancers ────────────────────────────── location /health { proxy_pass http://liberdiscovery_api/api/v1/health; access_log off; } # Block common attack paths location ~ /\. { deny all; } location ~ ~$ { deny all; } } # HTTPS server (uncomment when SSL certs are ready) # server { # listen 443 ssl http2; # server_name liberdiscovery.example.com; # # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # ssl_protocols TLSv1.2 TLSv1.3; # ssl_prefer_server_ciphers on; # ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; # # # HSTS # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # # # ... same location blocks as above ... # }