Workflow-API/nginx.conf at main · 00Harshh/Workflow-API · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
# ──────────────────────────────────────────────────────────────────────────────
# nginx.conf  —  Workflow API reverse proxy configuration
#
# Usage:
#   1. Copy to /etc/nginx/sites-available/workflow-api
#   2. sudo ln -s /etc/nginx/sites-available/workflow-api /etc/nginx/sites-enabled/
#   3. Replace 'your-domain.com' with your actual domain
#   4. Run: sudo nginx -t && sudo systemctl reload nginx
#
# For TLS (recommended in production):
#   sudo certbot --nginx -d your-domain.com
# ──────────────────────────────────────────────────────────────────────────────

upstream workflow-api {
    server 127.0.0.1:8000;
    keepalive 64;
}

# Fix #13: Redirect ALL HTTP traffic to HTTPS — no exceptions.
# Stripe supports HTTPS webhook delivery; no reason to allow plain HTTP.
server {
    listen 80;
    server_name your-domain.com;
    return 301 https://$host$request_uri;
}

# ── HTTPS (production) ────────────────────────────────────────────────────────
server {
    listen 443 ssl http2;
    server_name your-domain.com;

    # Managed by Certbot — nginx will add these after: sudo certbot --nginx
    # ssl_certificate     /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

    # ── Per-IP connection rate limit (Fix #14 defense-in-depth) ──────────────
    limit_req_zone $binary_remote_addr zone=workflow-api_api:10m rate=30r/s;

    # ── Compression ───────────────────────────────────────────────────────────
    gzip on;
    gzip_types application/json text/plain;
    gzip_min_length 256;

    # ── Security headers ──────────────────────────────────────────────────────
    add_header X-Content-Type-Options  nosniff always;
    add_header X-Frame-Options         DENY    always;
    add_header Referrer-Policy         "no-referrer" always;

    # ── Proxy ─────────────────────────────────────────────────────────────────
    location / {
        limit_req zone=workflow-api_api burst=60 nodelay;

        proxy_pass         http://workflow-api;
        proxy_http_version 1.1;
        proxy_set_header   Connection       "";   # enable keepalive to upstream
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;

        # Timeouts — workflow calls can take a while
        proxy_connect_timeout  5s;
        proxy_read_timeout     60s;
        proxy_send_timeout     60s;

        # Fix #14: 1MB body limit is generous for JSON payloads.
        # 10MB was an amplification risk (100 concurrent × 10MB = 1GB in-flight).
        client_max_body_size   1m;
    }

    # ── Admin dashboard (locked to your IP in production) ────────────────────
    location /__workflow-api/ {
        # Security: Uncomment and set your static IP to add network-layer protection
        # in addition to the X-Admin-Key header auth in the application layer.
        # allow 1.2.3.4;
        # deny  all;

        proxy_pass         http://workflow-api;
        proxy_http_version 1.1;
        proxy_set_header   Connection       "";
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}