docs: add nginx reverse proxy documentation

2019-03-07 16:13:04 -08:00 · 2019-03-07 16:13:04 -08:00 · 2ec6b978ac
commit 2ec6b978ac
parent a4215e35dc
4 changed files with 62 additions and 1 deletions
--- a/INSTALL.md
+++ b/INSTALL.md
@ -102,3 +102,13 @@ and Docker Compose (version 1.6.0 or greater) already installed.
        proxy_set_header X-Script-Name     /szuru;
    }
    ```
+
+3. **Preparing for production**
+
+    If you plan on using szurubooru in a production setting, you may opt to
+    use a reverse proxy for added security and caching capabilities. Start
+    by having the client docker listen only on localhost by changing `PORT`
+    in your `.env` file to `127.0.0.1:8080` instead of simply `:8080`. Then
+    configure NGINX (or your caching/reverse proxy server of your choice)
+    to proxy_pass `http://127.0.0.1:8080`. We've included an example config
+    located in the `nginx-vhost.production` file.
--- a/client/nginx.conf.docker
+++ b/client/nginx.conf.docker
@ -15,7 +15,7 @@ http {
    log_format main '$remote_addr -> $request [$status] - '
                    'referer: $http_referer $http_x_forwarded_for';
    access_log /dev/stdout main;
-
+    server_tokens off;
    sendfile on;
    keepalive_timeout 65;
    client_max_body_size 100M;
--- a/example.env
+++ b/example.env
@ -6,6 +6,8 @@ POSTGRES_PASSWORD=changeme
 BUILD_INFO=latest

 # Port to expose HTTP service
+# Set to 127.0.0.1:8080 if you wish to reverse-proxy the docker's port,
+# otherwise the port specified here will be publicly accessible
 PORT=8080

 # Directory to store image data
--- a/nginx.vhost.production
+++ b/nginx.vhost.production
@ -0,0 +1,49 @@
+# example for a production vhost for szurubooru.
+# ideally, use ssl termination + cdn with a provider such as cloudflare.
+# modify as needed!
+
+# rate limiting zone
+# poor man's ddos protection, essentially
+limit_req_zone $binary_remote_addr zone=throttle:10m rate=25r/s;
+
+# www -> non-www
+server {
+  listen 80;
+  listen [::]:80;
+  server_tokens off;
+  server_name www.example.com
+  return 301 http://example.com$request_uri;
+}
+
+server {
+  server_name example.com;
+  client_max_body_size 100M;
+  client_body_timeout 30s;
+  server_tokens off;
+  location / {
+    limit_req zone=throttle burst=5 delay=3;
+    proxy_http_version 1.1;
+    proxy_pass http://127.0.0.1:8080;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Script-Name /szuru;
+    error_page 500 501 502 504 505 506 507 508 509 510 511 @err;
+    error_page 503 @throttle;
+  }
+
+  location @err {
+    return 500 "server error. please try again later.";
+    default_type text/plain;
+  }
+  location @throttle {
+    return 503 "we've detected abuse on your ip. please wait and try again later.";
+    default_type text/plain;
+  }
+  listen 80;
+  listen [::]:80;
+}