docs: add nginx reverse proxy documentation

INSTALL.md

@@ -102,3 +102,13 @@ and Docker Compose (version 1.6.0 or greater) already installed.
         proxy_set_header X-Script-Name     /szuru;
     }
     ```
+
+3. **Preparing for production**
+
+    If you plan on using szurubooru in a production setting, you may opt to
+    use a reverse proxy for added security and caching capabilities. Start
+    by having the client docker listen only on localhost by changing `PORT`
+    in your `.env` file to `127.0.0.1:8080` instead of simply `:8080`. Then
+    configure NGINX (or your caching/reverse proxy server of your choice)
+    to proxy_pass `http://127.0.0.1:8080`. We've included an example config
+    located in the `nginx-vhost.production` file.

client/nginx.conf.docker

@@ -15,7 +15,7 @@ http {
     log_format main '$remote_addr -> $request [$status] - '
                     'referer: $http_referer $http_x_forwarded_for';
     access_log /dev/stdout main;
-
+    server_tokens off;
     sendfile on;
     keepalive_timeout 65;
     client_max_body_size 100M;

example.env

@@ -6,6 +6,8 @@ POSTGRES_PASSWORD=changeme
 BUILD_INFO=latest
 
 # Port to expose HTTP service
+# Set to 127.0.0.1:8080 if you wish to reverse-proxy the docker's port,
+# otherwise the port specified here will be publicly accessible
 PORT=8080
 
 # Directory to store image data

nginx.vhost.production

@@ -0,0 +1,49 @@
+# example for a production vhost for szurubooru.
+# ideally, use ssl termination + cdn with a provider such as cloudflare.
+# modify as needed!
+
+# rate limiting zone
+# poor man's ddos protection, essentially
+limit_req_zone $binary_remote_addr zone=throttle:10m rate=25r/s;
+
+# www -> non-www
+server {
+  listen 80;
+  listen [::]:80;
+  server_tokens off;
+  server_name www.example.com
+  return 301 http://example.com$request_uri;
+}
+
+server {
+  server_name example.com;
+  client_max_body_size 100M;
+  client_body_timeout 30s;
+  server_tokens off;
+  location / {
+    limit_req zone=throttle burst=5 delay=3;
+    proxy_http_version 1.1;
+    proxy_pass http://127.0.0.1:8080;
+    proxy_set_header Host $http_host;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Scheme $scheme;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Script-Name /szuru;
+    error_page 500 501 502 504 505 506 507 508 509 510 511 @err;
+    error_page 503 @throttle;
+  }
+
+  location @err {
+    return 500 "server error. please try again later.";
+    default_type text/plain;
+  }
+  location @throttle {
+    return 503 "we've detected abuse on your ip. please wait and try again later.";
+    default_type text/plain;
+  }
+  listen 80;
+  listen [::]:80;
+}