# Configuración de nginx para API Ping Service # Este archivo debe ser adaptado según tu configuración específica server { listen 80; listen [::]:80; server_name your-domain.com; # Cambiar por tu dominio # Redirección HTTPS (recomendado para producción) return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name your-domain.com; # Cambiar por tu dominio # Configuración SSL (ajustar rutas según tu setup) ssl_certificate /path/to/your/certificate.pem; ssl_certificate_key /path/to/your/private.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384; # Headers de seguridad add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';" always; # Configuración para obtener la IP real del cliente real_ip_header X-Forwarded-For; real_ip_recursive on; # IPs confiables (ajustar según tu infraestructura) # Cloudflare IPs (si usas Cloudflare) set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 172.64.0.0/13; set_real_ip_from 131.0.72.0/22; set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2a06:98c0::/29; set_real_ip_from 2c0f:f248::/32; # IPs locales/privadas (ajustar según tu red) set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; # Proxy a Next.js location / { proxy_pass http://127.0.0.1:3000; # Ajustar puerto si es necesario proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_cache_bypass $http_upgrade; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; } # Configuración específica para API endpoints location /api/ { proxy_pass http://127.0.0.1:3000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; # Rate limiting adicional en nginx (opcional) limit_req zone=api burst=20 nodelay; # Headers CORS para API add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization" always; # Manejar preflight requests if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin "*"; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; add_header Content-Length 0; add_header Content-Type text/plain; return 200; } } # Rate limiting para proteger la API location /api/ping { limit_req zone=ping burst=5 nodelay; proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Archivos estáticos con cache location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg)$ { proxy_pass http://127.0.0.1:3000; proxy_set_header Host $host; expires 1y; add_header Cache-Control "public, immutable"; add_header X-Cache-Status "STATIC"; } # Logs access_log /var/log/nginx/api-ping-access.log; error_log /var/log/nginx/api-ping-error.log; } # Rate limiting zones (definir en http block) # Agregar estas líneas al bloque http {} en nginx.conf: # # http { # # Rate limiting para API general # limit_req_zone $binary_remote_addr zone=api:10m rate=30r/h; # # # Rate limiting específico para ping (más restrictivo) # limit_req_zone $binary_remote_addr zone=ping:10m rate=5r/10m; # # # Rate limiting por IP real (considerando proxy) # limit_req_zone $realip_remote_addr zone=real_ip:10m rate=5r/10m; # } # Configuración adicional para development/testing # Archivo separado: nginx-dev.conf # # server { # listen 80; # server_name localhost; # # location / { # proxy_pass http://127.0.0.1:3000; # proxy_set_header Host $host; # proxy_set_header X-Real-IP $remote_addr; # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header X-Forwarded-Proto $scheme; # } # }