74 lines
3.4 KiB
Nginx Configuration File
74 lines
3.4 KiB
Nginx Configuration File
# ─── vSphere Backup Manager — Nginx reverse proxy ────────────────────────────
|
|
#
|
|
# Place this file at: /etc/nginx/sites-available/vsphere-backup-manager
|
|
# Then enable it with: sudo ln -s /etc/nginx/sites-available/vsphere-backup-manager \
|
|
# /etc/nginx/sites-enabled/
|
|
#
|
|
# Assumes:
|
|
# - SSL cert + key are at /etc/ssl/vsphere-backup/
|
|
# - Gunicorn is running on 127.0.0.1:5000 (via PM2)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# Redirect plain HTTP → HTTPS
|
|
server {
|
|
listen 80;
|
|
server_name _; # catches any hostname / IP
|
|
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
# Main HTTPS block
|
|
server {
|
|
listen 443 ssl;
|
|
server_name _;
|
|
|
|
# ── SSL certificate (self-signed, generated by setup.sh) ──────────────────
|
|
ssl_certificate /etc/ssl/vsphere-backup/cert.pem;
|
|
ssl_certificate_key /etc/ssl/vsphere-backup/key.pem;
|
|
|
|
# ── TLS hardening ─────────────────────────────────────────────────────────
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 10m;
|
|
|
|
# ── Security headers ──────────────────────────────────────────────────────
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header Referrer-Policy strict-origin-when-cross-origin;
|
|
# Force HTTPS for 1 year — remove this line if you ever need to switch back to HTTP
|
|
add_header Strict-Transport-Security "max-age=31536000" always;
|
|
|
|
# ── Proxy to Gunicorn ─────────────────────────────────────────────────────
|
|
location / {
|
|
proxy_pass http://127.0.0.1:5000;
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
# Long timeouts — backup jobs can run for hours
|
|
proxy_read_timeout 3600;
|
|
proxy_connect_timeout 60;
|
|
proxy_send_timeout 3600;
|
|
|
|
# Allow large log downloads
|
|
client_max_body_size 64M;
|
|
}
|
|
|
|
# ── Static files served directly by Nginx (faster than Python) ───────────
|
|
location /static/ {
|
|
alias /home/rizqiv2/vSphere-Backup-Manager/static/;
|
|
expires 7d;
|
|
add_header Cache-Control "public";
|
|
}
|
|
|
|
# ── Logging ───────────────────────────────────────────────────────────────
|
|
access_log /var/log/nginx/vsphere-backup-access.log;
|
|
error_log /var/log/nginx/vsphere-backup-error.log;
|
|
}
|