first commit

nginx/nginx.conf

@@ -0,0 +1,63 @@
+events {
+    worker_connections 1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    # Logging
+    access_log /var/log/nginx/access.log;
+    error_log  /var/log/nginx/error.log;
+
+    # Gzip
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
+
+    # Rate limiting
+    limit_req_zone $binary_remote_addr zone=login:10m rate=10r/m;
+    limit_req_zone $binary_remote_addr zone=api:10m   rate=60r/m;
+
+    upstream flask {
+        server backend:5000;
+    }
+
+    server {
+        listen 80;
+        server_name _;
+
+        # Security headers
+        add_header X-Frame-Options       "SAMEORIGIN"   always;
+        add_header X-Content-Type-Options "nosniff"      always;
+        add_header X-XSS-Protection      "1; mode=block" always;
+
+        client_max_body_size 10M;
+
+        # Rate limiting op login
+        location /auth/login {
+            limit_req zone=login burst=5 nodelay;
+            proxy_pass         http://flask;
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        # Rate limiting op API
+        location /api/ {
+            limit_req zone=api burst=20 nodelay;
+            proxy_pass         http://flask;
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+
+        # Alle andere requests
+        location / {
+            proxy_pass         http://flask;
+            proxy_set_header   Host $host;
+            proxy_set_header   X-Real-IP $remote_addr;
+            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_read_timeout 60s;
+        }
+    }
+}

nginx/proxy-params.conf

@@ -0,0 +1,10 @@
+# /etc/nginx/snippets/proxy-params.conf
+# Herbruikbaar snippet voor proxy headers.
+# Aanmaken met: sudo nano /etc/nginx/snippets/proxy-params.conf
+
+proxy_set_header Host               $host;
+proxy_set_header X-Real-IP          $remote_addr;
+proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto  $scheme;
+proxy_http_version                  1.1;
+proxy_set_header Connection         "";

nginx/vhost-host.conf

@@ -0,0 +1,24 @@
+# /etc/nginx/sites-available/leerdoelen
+#
+# Vereisten op de host:
+#   certbot --nginx -d leerdoelen.jouwdomein.be
+# Of als je al een wildcard cert hebt, pas ssl_certificate paden aan.
+
+server {
+    listen 80;
+    server_name leerdoelen.jouwdomein.be;
+
+    # Certbot voegt hier automatisch de SSL redirect en het 443 blok aan toe.
+    # Voer daarna uit: certbot --nginx -d leerdoelen.jouwdomein.be
+
+    access_log /var/log/nginx/leerdoelen.access.log;
+    error_log  /var/log/nginx/leerdoelen.error.log;
+
+    location / {
+        proxy_pass         http://127.0.0.1:5000;
+        include            /etc/nginx/snippets/proxy-params.conf;
+
+        client_max_body_size 10M;
+        proxy_read_timeout   60s;
+    }
+}