d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7cd7022f6e0d6ff4232c47cbf4c19cfbc704e102
Sankofa/docs/configs/nginx/README.md
defiQUG 9daf1fd378 Apply Composer changes: comprehensive API updates, migrations, middleware, and infrastructure improvements 
- Add comprehensive database migrations (001-024) for schema evolution
- Enhance API schema with expanded type definitions and resolvers
- Add new middleware: audit logging, rate limiting, MFA enforcement, security, tenant auth
- Implement new services: AI optimization, billing, blockchain, compliance, marketplace
- Add adapter layer for cloud integrations (Cloudflare, Kubernetes, Proxmox, storage)
- Update Crossplane provider with enhanced VM management capabilities
- Add comprehensive test suite for API endpoints and services
- Update frontend components with improved GraphQL subscriptions and real-time updates
- Enhance security configurations and headers (CSP, CORS, etc.)
- Update documentation and configuration files
- Add new CI/CD workflows and validation scripts
- Implement design system improvements and UI enhancements
2025-12-12 18:01:35 -08:00

3.7 KiB
Raw Blame History

Nginx Proxy Configuration Guide

Overview

This guide covers configuring the Nginx Proxy VM for SMOM-DBIS-138 deployment to handle SSL/TLS termination and routing.

Prerequisites

  • Nginx Proxy VM deployed and running
  • SSH access to the VM
  • Domain names configured in DNS
  • Cloudflare account (for DNS management)

Quick Start

1. Get VM IP Address

kubectl get proxmoxvm nginx-proxy-vm -n default -o jsonpath='{.status.ipAddress}'

2. SSH into the VM

ssh admin@<vm-ip-address>

3. Install SSL Certificates

# Install certbot if not already installed
sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx

# Obtain SSL certificate
sudo certbot --nginx -d your-domain.com -d www.your-domain.com

4. Configure Backend Services

Create configuration files in /etc/nginx/sites-available/:

Example: SMOM Services

server {
    listen 80;
    listen [::]:80;
    server_name smom-api.sankofa.nexus;
    
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name smom-api.sankofa.nexus;
    
    ssl_certificate /etc/letsencrypt/live/smom-api.sankofa.nexus/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/smom-api.sankofa.nexus/privkey.pem;
    
    location / {
        proxy_pass http://smom-services:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

5. Enable Configuration

# Create symlink
sudo ln -s /etc/nginx/sites-available/smom-api /etc/nginx/sites-enabled/

# Test configuration
sudo nginx -t

# Reload nginx
sudo systemctl reload nginx

Configuration Files

Main Nginx Configuration

Location: /etc/nginx/nginx.conf

Key settings:

  • Worker processes: auto (matches CPU cores)
  • Worker connections: 1024
  • Gzip compression: Enabled
  • SSL protocols: TLSv1.2, TLSv1.3

Site Configurations

Location: /etc/nginx/sites-available/

Each service should have its own configuration file:

  • smom-api.conf - API services
  • smom-blockscout.conf - Blockscout explorer
  • smom-monitoring.conf - Monitoring dashboards
  • smom-rpc.conf - RPC endpoints

SSL/TLS Configuration

Automatic Certificate Renewal

Certbot automatically sets up renewal. Verify with:

sudo certbot renew --dry-run

Manual Certificate Renewal

sudo certbot renew
sudo systemctl reload nginx

Security Headers

All configurations should include:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;

Load Balancing

For multiple backend instances:

upstream smom_services {
    least_conn;
    server smom-services-01:8080;
    server smom-services-02:8080;
    server smom-services-03:8080;
}

server {
    location / {
        proxy_pass http://smom_services;
    }
}

Monitoring

Access Logs

tail -f /var/log/nginx/access.log

Error Logs

tail -f /var/log/nginx/error.log

Status Check

curl http://localhost/nginx_status

Troubleshooting

Test Configuration

sudo nginx -t

Check Nginx Status

sudo systemctl status nginx

View Active Connections

sudo netstat -tulpn | grep nginx

Check SSL Certificate

sudo certbot certificates

Next Steps

  1. Configure all backend services
  2. Set up monitoring and alerting
  3. Configure rate limiting
  4. Set up failover/backup proxy
Reference in New Issue View Git Blame Copy Permalink