aipackage/ansible/roles/cezen-nginx/files/cezen.conf
2026-06-30 15:03:31 +05:30

126 lines
5.5 KiB
Plaintext

# /etc/nginx/sites-available/cezen
# Nexus One AI Portal — serves static portal, proxies API and console terminal
#
# Install:
# sudo cp cezen.conf /etc/nginx/sites-available/cezen
# sudo ln -sf /etc/nginx/sites-available/cezen /etc/nginx/sites-enabled/cezen
# sudo rm -f /etc/nginx/sites-enabled/default
# sudo nginx -t && sudo systemctl reload nginx
# ─── Rate limiting zones (must be outside server block) ──────────────────────
# Login: 5 requests/min per IP, burst of 3 queued, then 429
limit_req_zone $binary_remote_addr zone=cezen_login:10m rate=5r/m;
# General API: 60 req/min per IP (generous for dashboard polling)
limit_req_zone $binary_remote_addr zone=cezen_api:10m rate=60r/m;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
# Hide server version
server_tokens off;
# Logging
access_log /var/log/nginx/cezen-access.log;
error_log /var/log/nginx/cezen-error.log;
# ─── Global security headers ──────────────────────────────────────────────
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-src 'self'; font-src 'self'; object-src 'none'; base-uri 'self';" always;
# ─── robots.txt — block all indexing (air-gapped / private portal) ────────
location = /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
add_header Content-Type text/plain;
}
# ─── Static Portal ───────────────────────────────────────────────────────
root /opt/cezen/portal;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
# Cache static assets aggressively
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
expires 7d;
add_header Cache-Control "public, immutable";
}
# ─── Model upload (large files — no size limit, extended timeout) ────────
location = /api/models/upload {
client_max_body_size 0; # unlimited — GGUF files can be 70 GB+
proxy_request_buffering off; # stream directly to backend, don't buffer in Nginx
proxy_read_timeout 7200s; # 2 hours for slow transfers
proxy_send_timeout 7200s;
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# ─── Login rate limit (tight) ─────────────────────────────────────────────
location = /api/auth/login {
limit_req zone=cezen_login burst=3 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 30s;
}
# ─── FastAPI Backend (/api/) ──────────────────────────────────────────────
location /api/ {
limit_req zone=cezen_api burst=20 nodelay;
limit_req_status 429;
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
}
# ─── Web Console (ttyd) (/console/) ──────────────────────────────────────
location /console/ {
proxy_pass http://127.0.0.1:7681/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_read_timeout 86400s;
# Rewrite paths so ttyd JS/CSS assets load correctly
proxy_redirect / /console/;
sub_filter 'href="/' 'href="/console/';
sub_filter 'src="/' 'src="/console/';
sub_filter_once off;
sub_filter_types text/html;
}
# ─── Block dotfiles and common attack paths ───────────────────────────────
location ~ /\. {
deny all;
}
location ~* \.(env|git|sql|bak|sh|py)$ {
deny all;
}
}