Uningnore and track conf files

2026-03-09 19:42:44 +00:00
parent d01362dd2c
commit 53a37dde34
23 changed files with 1668 additions and 1 deletions
--- a/data/conf.d/couch.conf
+++ b/data/conf.d/couch.conf
@@ -0,0 +1,92 @@
+server {
+    listen 80;
+    server_name couch.novicelab.io;
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl; # http2;
+    server_name couch.novicelab.io;
+
+    ssl_certificate     /etc/letsencrypt/live/novicelab.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/novicelab.io/privkey.pem;
+    ssl_protocols       TLSv1.2 TLSv1.3;
+    ssl_ciphers         HIGH:!aNULL:!MD5;
+    ssl_session_cache   shared:SSL:10m;
+
+    # Security headers
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-Frame-Options DENY;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+
+    resolver 127.0.0.11 8.8.8.8 8.8.4.4 valid=300s;
+    resolver_timeout 5s;
+
+    set $couch_backend 10.0.0.251:5984;
+
+    # # Block access to _utils (Fauxton) in production
+    # location /_utils {
+    #     deny all;
+    #     return 403;
+    # }
+
+    # # Block _config endpoint externally
+    # location /_config {
+    #     deny all;
+    #     return 403;
+    # }
+
+    # # Block _node endpoint externally
+    # location /_node {
+    #     # deny all;
+    #     # return 403;
+    #     proxy_pass         http://$couch_backend/_node; 
+    #     proxy_redirect     off;
+    #     proxy_set_header   Host $host;
+    #     proxy_set_header   X-Real-IP $remote_addr;
+    #     proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    #     proxy_set_header   X-Forwarded-Proto $scheme;
+
+    #     # Timeouts
+    #     proxy_connect_timeout 10s;
+    #     proxy_read_timeout    60s;
+    # }
+
+    location / {
+        # Handle CORS preflight without hitting CouchDB auth
+        if ($request_method = OPTIONS) {
+            add_header Access-Control-Allow-Origin  $http_origin always;
+            add_header Access-Control-Allow-Methods "GET, PUT, POST, HEAD, DELETE, OPTIONS" always;
+            add_header Access-Control-Allow-Headers "accept, authorization, content-type, origin, referer, x-csrf-token" always;
+            add_header Access-Control-Allow-Credentials "true" always;
+            add_header Access-Control-Max-Age 3600;
+            add_header Content-Length 0;
+            add_header Content-Type text/plain;
+            return 204;
+        }
+
+        # Pass all other requests to CouchDB
+        # proxy_pass              http://127.0.0.1:5984;
+        proxy_pass         http://$couch_backend/;
+        proxy_redirect          off;
+        proxy_buffering         off;
+        proxy_method            $request_method;  
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+
+        # Forward CORS headers from CouchDB responses too
+        add_header Access-Control-Allow-Origin      $http_origin always;
+        add_header Access-Control-Allow-Credentials "true" always;
+
+        proxy_connect_timeout 10s;
+        proxy_read_timeout    60s;
+
+        # Headers for WebSocket support
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}