# /etc/nginx/sites-available/musehub # # Cloudflare Origin Certificate configuration. # Cloudflare terminates SSL at the edge. This nginx instance accepts HTTPS # connections using a Cloudflare Origin Certificate. # # SSL mode in Cloudflare dashboard MUST be set to "Full (Strict)". # No Certbot or Let's Encrypt required — the Origin Certificate is valid for 15 years. # # IP restriction is enforced at the EC2 security group level (inbound port 443 # restricted to Cloudflare IP ranges). Do not duplicate that logic here — # the real_ip module replaces $remote_addr with the true client IP before # allow/deny runs, which would incorrectly block legitimate Cloudflare traffic. # # To generate the Origin Certificate: # Cloudflare Dashboard → → SSL/TLS → Origin Server → Create Certificate # Choose "Generate private key and CSR with Cloudflare" → RSA (2048) → 15 years # Save certificate → /etc/ssl/cloudflare/origin.pem # Save private key → /etc/ssl/cloudflare/origin.key # chmod 640 /etc/ssl/cloudflare/origin.key # Per-IP rate limiting zones — defined at http context level. # Wire endpoints are exempt (MSign auth-gated). Healthz is exempt (fast-path). # 'api' — general unauthenticated surface: 60 req/min with burst headroom # 'auth' — tighter zone reserved for future auth endpoints: 10 req/min limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m; limit_req_zone $binary_remote_addr zone=auth:10m rate=10r/m; # Restore the real client IP from the Cloudflare connecting-IP header. # Without this, every request appears to come from a Cloudflare edge node. # Cloudflare IP ranges: https://www.cloudflare.com/ips/ real_ip_header CF-Connecting-IP; real_ip_recursive on; # Cloudflare IPv4 ranges set_real_ip_from 173.245.48.0/20; set_real_ip_from 103.21.244.0/22; set_real_ip_from 103.22.200.0/22; set_real_ip_from 103.31.4.0/22; set_real_ip_from 141.101.64.0/18; set_real_ip_from 108.162.192.0/18; set_real_ip_from 190.93.240.0/20; set_real_ip_from 188.114.96.0/20; set_real_ip_from 197.234.240.0/22; set_real_ip_from 198.41.128.0/17; set_real_ip_from 162.158.0.0/15; set_real_ip_from 104.16.0.0/13; set_real_ip_from 104.24.0.0/14; set_real_ip_from 172.64.0.0/13; set_real_ip_from 131.0.72.0/22; # Cloudflare IPv6 ranges set_real_ip_from 2400:cb00::/32; set_real_ip_from 2606:4700::/32; set_real_ip_from 2803:f800::/32; set_real_ip_from 2405:b500::/32; set_real_ip_from 2405:8100::/32; set_real_ip_from 2a06:98c0::/29; set_real_ip_from 2c0f:f248::/32; # Blue-green upstream: deploy.sh rewrites /etc/nginx/musehub-active-port # and runs `nginx -s reload` to switch slots atomically. # # keepalive 32: nginx keeps up to 32 idle connections to uvicorn open, # eliminating the TCP handshake cost on every request. # keepalive_requests 1000: rotate the connection after 1000 requests so # stale file descriptors don't accumulate. # keepalive_timeout 60s: evict idle keepalive connections after 60s of # disuse — matches uvicorn's own idle timeout. upstream musehub_backend { include /etc/nginx/musehub-active-port; keepalive 32; keepalive_requests 1000; keepalive_timeout 60s; } # Redirect all plain-HTTP traffic to HTTPS — 301 (permanent, cacheable). # In prod, Cloudflare enforces HTTPS at the edge, so this only fires for # traffic that bypasses Cloudflare (e.g., direct-to-origin access during # ops or monitoring). Belt-and-suspenders. server { listen 80; listen [::]:80; server_name DOMAIN_PLACEHOLDER; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name DOMAIN_PLACEHOLDER; ssl_certificate /etc/ssl/cloudflare/origin.pem; ssl_certificate_key /etc/ssl/cloudflare/origin.key; # Enforce TLS 1.2 minimum — disable TLS 1.0 and TLS 1.1 (both deprecated). # TLS 1.3 is preferred; 1.2 retained for compatibility with older clients. ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; # TLS 1.3 ignores this; keep off for 1.2 forward secrecy client_max_body_size 500m; gzip on; gzip_comp_level 5; gzip_vary on; # Binary types (msgpack) are excluded: already compressed, gzip adds CPU with no size gain. gzip_types text/plain text/css text/javascript application/javascript application/json; # Security headers — applied to all responses from this server block. # 'always' ensures they are sent on error responses (4xx, 5xx) too. # Wire location blocks that define their own add_header (MCP, SSE) break # inheritance intentionally — programmatic clients don't need these. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # ── Healthz — dedicated fast-path, short timeout, no interference ──────────── location = /healthz { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 5s; proxy_send_timeout 5s; } # ── MCP — bidirectional Streamable HTTP, long-lived, never buffer ────────── location ~ ^/mcp(/|$) { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 3600s; proxy_send_timeout 3600s; proxy_request_buffering off; proxy_buffering off; add_header X-Accel-Buffering no always; } # ── SSE — Server-Sent Events (social feed), long-lived, never buffer ─────── location ~ ^/api/social/[^/]+/stream$ { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 3600s; proxy_send_timeout 3600s; proxy_request_buffering off; proxy_buffering off; add_header X-Accel-Buffering no always; } # ── Wire push — large uploads, never buffer ─────────────────────────────── # /push/mpack-presign — negotiate S3 presigned upload URL # /push/unpack-mpack — trigger S3→uvicorn unpack location ~ ^/[^/]+/[^/]+/push(/mpack-presign|/unpack-mpack)?$ { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_request_buffering off; proxy_buffering off; client_max_body_size 0; gzip off; } # ── Wire fetch — responses may be large, never buffer ───────────────────── # /fetch/mpack — mpack download (inline bytes or presigned S3 URL) # /fetch/objects — raw object bytes # /fetch/presign — negotiate S3 presigned download URL location ~ ^/[^/]+/[^/]+/fetch(/mpack|/objects|/presign)?$ { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 300s; proxy_send_timeout 300s; proxy_request_buffering off; proxy_buffering off; client_max_body_size 0; gzip off; } # ── Wire misc — short-lived wire ops and raw object downloads ───────────── # These are authenticated wire endpoints that need more than 60s: refs, # repair, tags, releases, branches, coord, and the raw object download path /o/. location ~ ^(/[^/]+/[^/]+/(refs|repair-object|repair-snapshot|repair-commit|tags|releases|branches|coord)|/o/) { proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 120s; proxy_send_timeout 120s; gzip off; } # ── Default catch-all — UI pages and JSON API ───────────────────────────── # All /api/*, /{owner}/{repo_slug} UI routes, /musehub/*, /explore, etc. # Standard request/response, small payloads, 60s is ample. # Rate-limited: unauthenticated endpoints here are the primary abuse surface. # burst=20 nodelay: absorb short bursts without queuing; excess → 429 immediately. location / { limit_req zone=api burst=20 nodelay; proxy_pass http://musehub_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 60s; } }