NetAlertX/install/production-filesystem/services/config/nginx/netalertx.conf.template

# Set user if running as root (substituted by start-nginx.sh)
${NGINX_USER_DIRECTIVE}

# Set number of worker processes automatically based on number of CPU cores.
worker_processes auto;

# Enables the use of JIT for regular expressions to speed-up their processing.
pcre_jit on;

# Configures default error logger.
error_log /tmp/log/nginx-error.log warn;

pid /tmp/run/nginx.pid;

events {
	# The maximum number of simultaneous connections that can be opened by
	# a worker process.
	worker_connections 1024;
}

http {

	# Mapping of temp paths for various nginx modules.
    client_body_temp_path /tmp/nginx/client_body;
    proxy_temp_path /tmp/nginx/proxy;
	fastcgi_temp_path /tmp/nginx/fastcgi;
	uwsgi_temp_path /tmp/nginx/uwsgi;
	scgi_temp_path /tmp/nginx/scgi;
	
	# Includes mapping of file name extensions to MIME types of responses
	# and defines the default type.
	include /services/config/nginx/mime.types;
	default_type application/octet-stream;

	# Name servers used to resolve names of upstream servers into addresses.
	# It's also needed when using tcpsocket and udpsocket in Lua modules.
	#resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];

	# Don't tell nginx version to the clients. Default is 'on'.
	server_tokens off;

	# Specifies the maximum accepted body size of a client request, as
	# indicated by the request header Content-Length. If the stated content
	# length is greater than this size, then the client receives the HTTP
	# error code 413. Set to 0 to disable. Default is '1m'.
	client_max_body_size 1m;

	# Sendfile copies data between one FD and other from within the kernel,
	# which is more efficient than read() + write(). Default is off.
	sendfile on;

	# Causes nginx to attempt to send its HTTP response head in one packet,
	# instead of using partial frames. Default is 'off'.
	tcp_nopush on;


	# Enables the specified protocols. Default is TLSv1 TLSv1.1 TLSv1.2.
	# TIP: If you're not obligated to support ancient clients, remove TLSv1.1.
	ssl_protocols TLSv1.2 TLSv1.3;

	# Path of the file with Diffie-Hellman parameters for EDH ciphers.
	# TIP: Generate with: `openssl dhparam -out /etc/ssl/nginx/dh2048.pem 2048`
	#ssl_dhparam /etc/ssl/nginx/dh2048.pem;

	# Specifies that our cipher suits should be preferred over client ciphers.
	# Default is 'off'.
	ssl_prefer_server_ciphers on;

	# Enables a shared SSL cache with size that can hold around 8000 sessions.
	# Default is 'none'.
	ssl_session_cache shared:SSL:2m;

	# Specifies a time during which a client may reuse the session parameters.
	# Default is '5m'.
	ssl_session_timeout 1h;

	# Disable TLS session tickets (they are insecure). Default is 'on'.
	ssl_session_tickets off;


	# Enable gzipping of responses.
	gzip on;

	# Set the Vary HTTP header as defined in the RFC 2616. Default is 'off'.
	gzip_vary on;


    # Specifies the main log format.
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	    '$status $body_bytes_sent "$http_referer" '
	    '"$http_user_agent" "$http_x_forwarded_for"';

	# Sets the path, format, and configuration for a buffered log write.
	access_log /tmp/log/nginx-access.log main;


    # Map 1: The Legacy Logic (Referer Match)
    map "$http_referer|$http_host" $sec_legacy {
        "~^https?://(?<ref_host>[^/:]+)(?::\d+)?/.*\|\k<ref_host>(?::\d+)?$" "TRUSTED";
        default "UNTRUSTED";
    }

    # Map 2: Strict Same-Origin Enforcement
    map $http_sec_fetch_site $is_trusted {
        "same-origin" "TRUSTED";
        ""            $sec_legacy; # Fallback only if header is missing
        default       "UNTRUSTED"; # Blocks 'same-site' and 'cross-site'
    }

	# Virtual host config
    server {
        listen ${LISTEN_ADDR}:${PORT} default_server;
		large_client_header_buffers 4 16k;
        root /app/front;
        index index.php;
        add_header X-Forwarded-Prefix "/app" always;

        location /server/ {
            # 1. Enforcement
            error_page 403 /403_internal.html;
            if ($is_trusted != "TRUSTED") {
                return 403;
            }

            # 2. Path Rewriting & Proxy
            rewrite ^/server/(.*)$ /$1 break;
            proxy_pass http://127.0.0.1:${BACKEND_PORT};

            # 3. Performance & SSE (Per #1440)
            proxy_buffering off;
            proxy_cache off;
            proxy_http_version 1.1;
            proxy_set_header Connection "";
            client_max_body_size 50m;
			proxy_read_timeout 3600s;

            # 4. Standard Proxy Headers
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location ~* \.php$ {
            # Set Cache-Control header to prevent caching on the first load
            add_header Cache-Control "no-store";
			fastcgi_pass unix:/tmp/run/php.sock;
            include /services/config/nginx/fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            fastcgi_connect_timeout 75;
            fastcgi_send_timeout 600;
            fastcgi_read_timeout 600;
        }
    }
}