136 lines
5.6 KiB
Plaintext
136 lines
5.6 KiB
Plaintext
# /etc/nginx/sites-available/cezen
|
|
# Nexus One AI Portal — serves static portal, proxies API and console terminal
|
|
#
|
|
# Install:
|
|
# sudo cp cezen.conf /etc/nginx/sites-available/cezen
|
|
# sudo ln -sf /etc/nginx/sites-available/cezen /etc/nginx/sites-enabled/cezen
|
|
# sudo rm -f /etc/nginx/sites-enabled/default
|
|
# sudo nginx -t && sudo systemctl reload nginx
|
|
|
|
# ─── Rate limiting zones (must be outside server block) ──────────────────────
|
|
# Login: 5 requests/min per IP, burst of 3 queued, then 429
|
|
limit_req_zone $binary_remote_addr zone=cezen_login:10m rate=5r/m;
|
|
# General API: 60 req/min per IP (generous for dashboard polling)
|
|
limit_req_zone $binary_remote_addr zone=cezen_api:10m rate=60r/m;
|
|
|
|
server {
|
|
listen 80 default_server;
|
|
listen [::]:80 default_server;
|
|
|
|
server_name _;
|
|
|
|
# Hide server version
|
|
server_tokens off;
|
|
|
|
# Logging
|
|
access_log /var/log/nginx/cezen-access.log;
|
|
error_log /var/log/nginx/cezen-error.log;
|
|
|
|
# ─── Global security headers ──────────────────────────────────────────────
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
|
|
add_header Content-Security-Policy
|
|
"default-src 'self'; "
|
|
"script-src 'self' 'unsafe-inline'; "
|
|
"style-src 'self' 'unsafe-inline'; "
|
|
"img-src 'self' data:; "
|
|
"connect-src 'self'; "
|
|
"frame-src 'self'; "
|
|
"font-src 'self'; "
|
|
"object-src 'none'; "
|
|
"base-uri 'self';"
|
|
always;
|
|
|
|
# ─── robots.txt — block all indexing (air-gapped / private portal) ────────
|
|
location = /robots.txt {
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
add_header Content-Type text/plain;
|
|
}
|
|
|
|
# ─── Static Portal ───────────────────────────────────────────────────────
|
|
root /opt/cezen/portal;
|
|
index index.html;
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
|
|
# Cache static assets aggressively
|
|
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
|
|
expires 7d;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# ─── Model upload (large files — no size limit, extended timeout) ────────
|
|
location = /api/models/upload {
|
|
client_max_body_size 0; # unlimited — GGUF files can be 70 GB+
|
|
proxy_request_buffering off; # stream directly to backend, don't buffer in Nginx
|
|
proxy_read_timeout 7200s; # 2 hours for slow transfers
|
|
proxy_send_timeout 7200s;
|
|
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
}
|
|
|
|
# ─── Login rate limit (tight) ─────────────────────────────────────────────
|
|
location = /api/auth/login {
|
|
limit_req zone=cezen_login burst=3 nodelay;
|
|
limit_req_status 429;
|
|
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 30s;
|
|
}
|
|
|
|
# ─── FastAPI Backend (/api/) ──────────────────────────────────────────────
|
|
location /api/ {
|
|
limit_req zone=cezen_api burst=20 nodelay;
|
|
limit_req_status 429;
|
|
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 120s;
|
|
}
|
|
|
|
# ─── Web Console (ttyd) (/console/) ──────────────────────────────────────
|
|
location /console/ {
|
|
proxy_pass http://127.0.0.1:7681/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_read_timeout 86400s;
|
|
|
|
# Rewrite paths so ttyd JS/CSS assets load correctly
|
|
proxy_redirect / /console/;
|
|
sub_filter 'href="/' 'href="/console/';
|
|
sub_filter 'src="/' 'src="/console/';
|
|
sub_filter_once off;
|
|
sub_filter_types text/html;
|
|
}
|
|
|
|
# ─── Block dotfiles and common attack paths ───────────────────────────────
|
|
location ~ /\. {
|
|
deny all;
|
|
}
|
|
|
|
location ~* \.(env|git|sql|bak|sh|py)$ {
|
|
deny all;
|
|
}
|
|
}
|