vSphere-Backup-Manager/nginx.conf

74 lines
3.4 KiB
Nginx Configuration File

# ─── vSphere Backup Manager — Nginx reverse proxy ────────────────────────────
#
# Place this file at: /etc/nginx/sites-available/vsphere-backup-manager
# Then enable it with: sudo ln -s /etc/nginx/sites-available/vsphere-backup-manager \
# /etc/nginx/sites-enabled/
#
# Assumes:
# - SSL cert + key are at /etc/ssl/vsphere-backup/
# - Gunicorn is running on 127.0.0.1:5000 (via PM2)
# ─────────────────────────────────────────────────────────────────────────────
# Redirect plain HTTP → HTTPS
server {
listen 80;
server_name _; # catches any hostname / IP
return 301 https://$host$request_uri;
}
# Main HTTPS block
server {
listen 443 ssl;
server_name _;
# ── SSL certificate (self-signed, generated by setup.sh) ──────────────────
ssl_certificate /etc/ssl/vsphere-backup/cert.pem;
ssl_certificate_key /etc/ssl/vsphere-backup/key.pem;
# ── TLS hardening ─────────────────────────────────────────────────────────
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# ── Security headers ──────────────────────────────────────────────────────
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy strict-origin-when-cross-origin;
# Force HTTPS for 1 year — remove this line if you ever need to switch back to HTTP
add_header Strict-Transport-Security "max-age=31536000" always;
# ── Proxy to Gunicorn ─────────────────────────────────────────────────────
location / {
proxy_pass http://127.0.0.1:5000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Long timeouts — backup jobs can run for hours
proxy_read_timeout 3600;
proxy_connect_timeout 60;
proxy_send_timeout 3600;
# Allow large log downloads
client_max_body_size 64M;
}
# ── Static files served directly by Nginx (faster than Python) ───────────
location /static/ {
alias /home/rizqiv2/vSphere-Backup-Manager/static/;
expires 7d;
add_header Cache-Control "public";
}
# ── Logging ───────────────────────────────────────────────────────────────
access_log /var/log/nginx/vsphere-backup-access.log;
error_log /var/log/nginx/vsphere-backup-error.log;
}