# GNSS Guard Server - Nginx Configuration with SSL # # After obtaining SSL certificate, copy this file: # cp gnss-guard-ssl.conf.template gnss-guard-ssl.conf # Then edit and set your domain, and restart nginx upstream gnss_server { server gnss-server:8000; } # ============================================================================= # IP WHITELIST FOR DASHBOARD ACCESS # ============================================================================= # These IPs can access the web dashboard and admin endpoints. # The validation API endpoints (/api/v1/validation*) are open to all. # # To update: edit this file and run ./deploy_server.sh --restart # ============================================================================= geo $ip_whitelist { default 0; # Office IPs - Whitelisted for dashboard access 213.149.164.73 1; # Socrates Office 5G 87.228.228.45 1; # Thaleias Office 93.109.218.195 1; # HQ Cyta 65.18.217.50 1; # HQ Cablenet 93.109.218.196 1; # HQ Cyta 2 62.228.7.94 1; # Socrates Home 3 195.97.70.162 1; # Piraeus Office # Localhost only (for internal health checks) 127.0.0.1 1; # NOTE: Docker internal networks (10.0.0.0/8, 172.16.0.0/12) are NOT whitelisted # to prevent privilege escalation if an attacker gains container access } # HTTP -> HTTPS redirect server { listen 80; server_name YOUR_DOMAIN_HERE; location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # HTTPS server server { listen 443 ssl; http2 on; server_name YOUR_DOMAIN_HERE; # SSL certificates (Let's Encrypt) ssl_certificate /etc/letsencrypt/live/YOUR_DOMAIN_HERE/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/YOUR_DOMAIN_HERE/privkey.pem; # SSL configuration ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Modern TLS configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS - Force HTTPS for 2 years, include subdomains add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; # Content Security Policy - restrict resource loading # Allows: self, Leaflet from unpkg, map tiles, marker icons add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://unpkg.com 'unsafe-inline'; style-src 'self' https://unpkg.com 'unsafe-inline'; img-src 'self' data: https://*.basemaps.cartocdn.com https://raw.githubusercontent.com https://cdnjs.cloudflare.com https://*.openstreetmap.org; font-src 'self'; connect-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'" always; # ========================================================================= # PUBLIC ENDPOINTS - Open to all (asset token authentication) # ========================================================================= # Validation API - accessible from anywhere (clients authenticate with tokens) location /api/v1/validation { proxy_pass http://gnss_server; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300; proxy_connect_timeout 300; } # Health check endpoint - open location /health { proxy_pass http://gnss_server; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; } # ========================================================================= # RESTRICTED ENDPOINTS - Office IPs only (session authentication) # ========================================================================= # All other endpoints require IP whitelist location / { # Check IP whitelist # TEMPORARILY DISABLED - uncomment to re-enable IP whitelisting # if ($ip_whitelist = 0) { # return 403; # } proxy_pass http://gnss_server; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_cache_bypass $http_upgrade; proxy_read_timeout 300; proxy_connect_timeout 300; proxy_buffering off; } # Static files - also restricted location /static/ { # TEMPORARILY DISABLED - uncomment to re-enable IP whitelisting # if ($ip_whitelist = 0) { # return 403; # } proxy_pass http://gnss_server/static/; proxy_cache_valid 200 1d; expires 1d; add_header Cache-Control "public, immutable"; } # Custom error page for 403 error_page 403 /403.html; location = /403.html { internal; default_type text/html; return 403 'Access Denied
403
Access Denied
Your IP is not authorized to access this resource.
'; } }