changemaker.lite/nginx/nginx.conf

worker_processes auto;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # Redact sensitive query parameters (token, secret) from access logs
    map $request_uri $redacted_request {
        ~^(?P<path>[^?]*)\?(?P<args>.*token=[^&]*)  "$path?<token-redacted>";
        ~^(?P<path>[^?]*)\?(?P<args>.*secret=[^&]*) "$path?<secret-redacted>";
        default                                       $request_uri;
    }

    log_format main '$remote_addr - $remote_user [$time_local] "$request_method $redacted_request $server_protocol" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    server_tokens off;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    client_max_body_size 50m;

    # Rate limiting zones (defense-in-depth alongside app-level Redis rate limits)
    limit_req_zone $binary_remote_addr zone=api_global:10m rate=30r/s;
    limit_req_zone $binary_remote_addr zone=api_auth:10m rate=5r/s;
    limit_req_zone $binary_remote_addr zone=upload:10m rate=2r/s;
    limit_req_status 429;

    # Gzip compression
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;

    # Only send HSTS when the request arrived over HTTPS (via Pangolin tunnel)
    map $http_x_forwarded_proto $hsts_header {
        https  "max-age=31536000; includeSubDomains";
        default "";
    }

    # Security headers (applied globally — X-Frame-Options set per server block)
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Strict-Transport-Security $hsts_header always;
    add_header Permissions-Policy "geolocation=(self), microphone=(), camera=()" always;

    # Docker internal DNS — enables runtime resolution so nginx starts
    # even when optional services are not running
    resolver 127.0.0.11 valid=30s;

    include /etc/nginx/conf.d/*.conf;
}