r/mnemosyne
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feat/admin-delete-daedalus-library
mnemosyne/nginx/mnemosyne.conf
Robert Helewka 4dde063299
All checks were successful
CVE Scan & Docker Build / security-scan (push) Successful in 3m41s
Details
Build & Deploy Docs / build-and-deploy (push) Successful in 1m9s
Details
CVE Scan & Docker Build / build-and-push (push) Successful in 3m29s
Details
fix(web): trust XFF for real client IP and correct port to 23081 
- Configure nginx `set_real_ip_from` for RFC1918 ranges and enable
  `real_ip_recursive` so allowlists evaluate the true client IP
  instead of Docker's NAT gateway, preventing public exposure of
  `/metrics` and `/nginx_status`
- Update published port from 23181 to 23081 in docker-compose
2026-06-17 06:58:36 -04:00

244 lines
11 KiB
Plaintext
Raw Permalink Blame History

# Mnemosyne nginx — single virtual host fronting the Django web app and the
# FastMCP server. HAProxy on Titania terminates TLS; this nginx is plain HTTP
# on the internal 10.10.0.0/24 network.
#
# Routing model
# -------------
# Everything proxies to the Django `app` container by default. The only paths
# NOT sent to Django are:
# /mcp/ → FastMCP ASGI server (Streamable HTTP + SSE)
# /static/ → served directly from the shared volume
# /media/ → served directly from the shared media volume
# /healthz → short-circuit proxy to FastMCP /mcp/health for HAProxy
# /nginx_status → nginx stub_status (Prospero scrape)
# Django returns its own themed 404 for anything it doesn't route.
#
# Conventions followed (Red Panda Standards + Athena reference config):
# * `resolver` + variable-based `proxy_pass` so container restarts don't
# leave nginx caching a dead IP and returning 502 until a full reload.
# * `$proxy_x_forwarded_proto` preserves HAProxy's `X-Forwarded-Proto: https`
# so `request.is_secure()`, secure cookies, and `build_absolute_uri()`
# work correctly behind TLS termination on Titania.
# * Probe paths are suppressed from access log; the `access_log off` line
# is needed to defeat the default in nginx:alpine's http-block config
# (server-level `access_log` is additive, not overriding, so without
# `off` first the probe paths still log via the inherited directive).
# * `/live/`, `/ready/`, `/healthz`, `/metrics`, `/nginx_status` are all
# IP-allowlisted to RFC1918 + loopback — defence in depth even though
# HAProxy is already on the internal network.
# Docker's embedded DNS — forces nginx to re-resolve upstream hostnames when
# containers restart and get new IPs. Without this, nginx caches the first
# resolution at startup and returns 502 after `docker compose restart app`.
resolver 127.0.0.11 valid=10s;
# Recover the real client IP from X-Forwarded-For (set by HAProxy on Titania)
# before evaluating the RFC1918 allowlists below. nginx runs as a sidecar with
# a published port, so every proxied request arrives via Docker's NAT gateway
# (an RFC1918 address) — without this, the allowlists match that gateway and
# pass ALL external traffic, exposing /metrics and /nginx_status publicly.
# HAProxy's own health checks (e.g. to /healthz) carry no XFF and keep their
# real 10.10.x.x source, so they stay allowed.
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# Preserve X-Forwarded-Proto from the upstream reverse proxy (HAProxy TLS
# termination on Titania); fall back to $scheme only if there's no upstream
# header. Inside the compose network $scheme is always `http` because HAProxy
# already terminated TLS, so we MUST honour the incoming header.
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
default $http_x_forwarded_proto;
"" $scheme;
}
# Probe-path access-log filter. Genuine 4xx/5xx on these paths still surface
# via the error log and via the probe itself failing.
map $request_uri $loggable {
default 1;
~^/live(/|\?|$) 0;
~^/ready(/|\?|$) 0;
~^/metrics(/|\?|$) 0;
~^/healthz(/|\?|$) 0;
~^/nginx_status(/|\?|$) 0;
~^/health 0;
~^/mcp/health(/|\?|$) 0;
~^/ping(/|\?|$) 0;
}
# Disable the default nginx.conf access_log (inherited from the http block
# in nginx:alpine's /etc/nginx/nginx.conf) and replace it with the filtered
# version. Without `off` first, both directives fire and probe paths still
# log through the inherited rule.
access_log off;
access_log /dev/stdout combined if=$loggable;
server {
listen 80 default_server;
server_name _;
# Reasonable limits — ingest can upload large content, but the bulk
# path is S3-direct from Daedalus. 64 MB covers admin uploads and
# direct REST POST /library/api/items/upload.
client_max_body_size 64m;
client_body_timeout 120s;
# Variable-based upstreams force nginx to re-resolve via the Docker
# DNS on each request rather than caching the IP at startup.
set $backend_app http://app:8000;
set $backend_mcp http://mcp:8001;
# ── Security headers ──────────────────────────────────────────────────
# `always` so they apply to 4xx/5xx responses from upstream too.
# Stronger policies (CSP, Referrer-Policy, HSTS) should be set on
# HAProxy so they're consistent across all backends.
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
# ── HAProxy liveness for the MCP server ───────────────────────────────
# Short-circuits to FastMCP's /mcp/health without hitting Django.
# HAProxy on Titania and any internal uptime monitor use this.
location = /healthz {
allow 127.0.0.0/8; # loopback
allow 10.0.0.0/8; # RFC1918 — primary internal range (Incus, HAProxy)
allow 172.16.0.0/12; # RFC1918 — Docker bridge networks
allow 192.168.0.0/16; # RFC1918
deny all;
proxy_pass $backend_mcp/mcp/health;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
}
# ── Static files ──────────────────────────────────────────────────────
# Baked into the image at /app/staticfiles, seeded into the shared
# volume by the static-init one-shot service on every `up`.
location /static/ {
alias /var/www/static/;
access_log off;
expires 30d;
add_header Cache-Control "public, immutable";
}
# ── Media files ──────────────────────────────────────────────────────
# Empty in production (USE_LOCAL_STORAGE=False → S3Boto3Storage).
# Useful in staging / dev compose runs where FileSystemStorage writes
# into MEDIA_ROOT inside the shared volume.
location /media/ {
alias /var/www/media/;
access_log off;
expires 7d;
add_header Cache-Control "public";
}
# ── FastMCP server ────────────────────────────────────────────────────
# Streamable HTTP at /mcp/ and SSE at /mcp/sse/. Long-running streams
# require disabled buffering, an unset Connection header (so HTTP/1.1
# keep-alive stays upstream), and a generous read timeout.
location /mcp/ {
proxy_pass $backend_mcp;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header Authorization $http_authorization;
proxy_set_header Connection "";
proxy_redirect off;
proxy_buffering off;
proxy_cache off;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
# ── Prometheus scrape — internal networks only ────────────────────────
# /metrics itself is owned by Django's django-prometheus middleware.
# Omitting 10.0.0.0/8 silently breaks scrapes from Prospero in the
# Incus network; omitting 172.16.0.0/12 breaks scrapes from a
# Prometheus container on the default Docker bridge.
location = /metrics {
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass $backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
access_log off;
}
# ── nginx stub_status — internal networks only ────────────────────────
# Cheap endpoint for Prospero to watch active connections + request rate.
location = /nginx_status {
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
stub_status on;
access_log off;
}
# ── Health probes on the Django app ───────────────────────────────────
# Use the trailing-slash form: /live/ and /ready/ return 200 directly.
# The un-slashed forms trigger Django's APPEND_SLASH 301 redirect, so
# clients that don't follow redirects will report a failure even when
# the service is healthy.
location = /live/ {
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass $backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
access_log off;
}
location = /ready/ {
allow 127.0.0.0/8;
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
proxy_pass $backend_app;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
access_log off;
}
# ── Catch-all: everything else goes to Django ─────────────────────────
# Django owns `/`, `/dashboard/`, `/login/`, `/logout/`, `/profile/*`,
# `/notifications/*`, `/admin/*`, `/library/*`, `/llm/*`, `/api/v1/*`,
# and any future app URL. It returns its own themed 404 for anything
# unrouted — not nginx's default page.
location / {
proxy_pass $backend_app;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_redirect off;
proxy_read_timeout 300s;
proxy_send_timeout 300s;
}
}
Reference in New Issue View Git Blame Copy Permalink