# /etc/nginx/sites-available/cezen # Nexus One AI Portal — serves static portal, proxies API and console terminal # # Install: # sudo cp cezen.conf /etc/nginx/sites-available/cezen # sudo ln -sf /etc/nginx/sites-available/cezen /etc/nginx/sites-enabled/cezen # sudo rm -f /etc/nginx/sites-enabled/default # sudo nginx -t && sudo systemctl reload nginx # ─── Rate limiting zones (must be outside server block) ────────────────────── # Login: 5 requests/min per IP, burst of 3 queued, then 429 limit_req_zone $binary_remote_addr zone=cezen_login:10m rate=5r/m; # General API: 60 req/min per IP (generous for dashboard polling) limit_req_zone $binary_remote_addr zone=cezen_api:10m rate=60r/m; server { listen 80 default_server; listen [::]:80 default_server; server_name _; # Hide server version server_tokens off; # Logging access_log /var/log/nginx/cezen-access.log; error_log /var/log/nginx/cezen-error.log; # ─── Global security headers ────────────────────────────────────────────── add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always; add_header Content-Security-Policy "default-src 'self'; " "script-src 'self' 'unsafe-inline'; " "style-src 'self' 'unsafe-inline'; " "img-src 'self' data:; " "connect-src 'self'; " "frame-src 'self'; " "font-src 'self'; " "object-src 'none'; " "base-uri 'self';" always; # ─── robots.txt — block all indexing (air-gapped / private portal) ──────── location = /robots.txt { return 200 "User-agent: *\nDisallow: /\n"; add_header Content-Type text/plain; } # ─── Static Portal ─────────────────────────────────────────────────────── root /opt/cezen/portal; index index.html; location / { try_files $uri $uri/ /index.html; } # Cache static assets aggressively location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff2?)$ { expires 7d; add_header Cache-Control "public, immutable"; } # ─── Model upload (large files — no size limit, extended timeout) ──────── location = /api/models/upload { client_max_body_size 0; # unlimited — GGUF files can be 70 GB+ proxy_request_buffering off; # stream directly to backend, don't buffer in Nginx proxy_read_timeout 7200s; # 2 hours for slow transfers proxy_send_timeout 7200s; proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } # ─── Login rate limit (tight) ───────────────────────────────────────────── location = /api/auth/login { limit_req zone=cezen_login burst=3 nodelay; limit_req_status 429; proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 30s; } # ─── FastAPI Backend (/api/) ────────────────────────────────────────────── location /api/ { limit_req zone=cezen_api burst=20 nodelay; limit_req_status 429; proxy_pass http://127.0.0.1:8080; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 120s; } # ─── Web Console (ttyd) (/console/) ────────────────────────────────────── location /console/ { proxy_pass http://127.0.0.1:7681/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_read_timeout 86400s; # Rewrite paths so ttyd JS/CSS assets load correctly proxy_redirect / /console/; sub_filter 'href="/' 'href="/console/'; sub_filter 'src="/' 'src="/console/'; sub_filter_once off; sub_filter_types text/html; } # ─── Block dotfiles and common attack paths ─────────────────────────────── location ~ /\. { deny all; } location ~* \.(env|git|sql|bak|sh|py)$ { deny all; } }