nearxos/reterminal-dm4
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
Cleanup
reterminal-dm4/backup-from-device/gnss-guard/tm-gnss-guard/server/nginx/conf.d/default.conf
nearxos 808fbf5c7c Refactor golden image handling in backup upload process</message> 
<message>Update the _set_golden_from_path function to improve the handling of existing golden image files. Replace the existing unlink logic with a more robust method that safely removes files or broken symlinks using the missing_ok parameter. This change enhances the reliability of the backup upload process by ensuring that stale references are properly cleared before setting a new golden image path.
2026-02-24 00:19:40 +02:00

102 lines
3.9 KiB
Plaintext
Raw Permalink Blame History

# GNSS Guard Server - Nginx Configuration
# This file is used for initial setup (HTTP only)
# After SSL setup, this file is replaced with the SSL configuration
upstream gnss_server {
server gnss-server:8000;
}
# =============================================================================
# IP WHITELIST FOR DASHBOARD ACCESS
# =============================================================================
# These IPs can access the web dashboard and admin endpoints.
# The validation API endpoints (/api/v1/validation*) are open to all.
#
# To update: edit this file and run ./deploy_server.sh --restart
# =============================================================================
geo $ip_whitelist {
default 0;
# Office IPs - Whitelisted for dashboard access
213.149.164.73 1; # Socrates Office 5G
87.228.228.45 1; # Thaleias Office
93.109.218.195 1; # HQ Cyta
65.18.217.50 1; # HQ Cablenet
93.109.218.196 1; # HQ Cyta 2
62.228.7.94 1; # Socrates Home 3
195.97.70.162 1; # Piraeus Office
# Localhost only (for internal health checks)
127.0.0.1 1;
# NOTE: Docker internal networks (10.0.0.0/8, 172.16.0.0/12) are NOT whitelisted
# to prevent privilege escalation if an attacker gains container access
}
# HTTP server
server {
listen 80;
server_name _;
# Let's Encrypt challenge location - always open
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
# =========================================================================
# PUBLIC ENDPOINTS - Open to all (asset token authentication)
# =========================================================================
# Validation API - accessible from anywhere (clients authenticate with tokens)
location /api/v1/validation {
proxy_pass http://gnss_server;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
proxy_connect_timeout 300;
}
# Health check endpoint - open
location /health {
proxy_pass http://gnss_server;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
# =========================================================================
# RESTRICTED ENDPOINTS - Office IPs only (session authentication)
# =========================================================================
# All other endpoints require IP whitelist
location / {
# Check IP whitelist
# TEMPORARILY DISABLED - uncomment to re-enable IP whitelisting
# if ($ip_whitelist = 0) {
# return 403;
# }
proxy_pass http://gnss_server;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_read_timeout 300;
proxy_connect_timeout 300;
}
# Custom error page for 403
error_page 403 /403.html;
location = /403.html {
internal;
default_type text/html;
return 403 '<!DOCTYPE html><html><head><title>Access Denied</title><style>body{font-family:sans-serif;display:flex;justify-content:center;align-items:center;height:100vh;margin:0;background:#060b10;color:#e5e9f5;}.container{text-align:center;}.title{font-size:48px;margin-bottom:20px;color:#c62828;}.msg{font-size:18px;color:#9aa3b8;}</style></head><body><div class="container"><div class="title">403</div><div class="msg">Access Denied<br>Your IP is not authorized to access this resource.</div></div></body></html>';
}
}
Reference in New Issue View Git Blame Copy Permalink