Erste lauffähige Version

2026-05-21 10:36:16 +02:00
commit 6a103adac4
98 changed files with 4107 additions and 0 deletions
@@ -0,0 +1,9 @@
+proxy_http_version 1.1;
+proxy_set_header Host              $host;
+proxy_set_header X-Real-IP         $remote_addr;
+proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+proxy_set_header X-Forwarded-Host  $host;
+proxy_set_header Connection        "";
+proxy_redirect off;
+proxy_buffering on;
@@ -0,0 +1,55 @@
+# =============================================================================
+# vHost – HTTP only. Security-Header & TLS sind Aufgabe des äußeren Proxys.
+# =============================================================================
+
+# Vom äußeren Proxy weitergereichte Header vertrauen – aber NUR aus dem
+# Docker-Netz oder von der bekannten Proxy-IP. Bei Bedarf set_real_ip_from
+# auf das CIDR des Proxys einschränken.
+set_real_ip_from 0.0.0.0/0;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+    server_name _;
+
+    # Healthcheck (für äußeren Proxy & Compose-Healthcheck)
+    location = /healthz {
+        access_log off;
+        return 200 "ok\n";
+        add_header Content-Type text/plain;
+    }
+
+    limit_conn conn_per_ip 20;
+
+    # Login strikter limitieren
+    location ~ ^/(accounts/login|admin/login) {
+        limit_req zone=login burst=3 nodelay;
+        proxy_pass http://django_app;
+        include /etc/nginx/conf.d/proxy_params.inc;
+    }
+
+    # Statische Dateien
+    location /static/ {
+        alias /var/www/static/;
+        access_log off;
+        expires 7d;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Geschützte Media (PDFs) – nur per X-Accel-Redirect aus Django ausspielen
+    location /protected-media/ {
+        internal;
+        alias /var/www/media/;
+    }
+
+    # App
+    location / {
+        limit_req zone=app burst=50 nodelay;
+        proxy_pass http://django_app;
+        include /etc/nginx/conf.d/proxy_params.inc;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 120s;
+    }
+}
@@ -0,0 +1,58 @@
+# =============================================================================
+# App-interner Nginx – HTTP only.
+# TLS macht der äußere Proxy.
+# =============================================================================
+
+user nginx;
+worker_processes auto;
+worker_rlimit_nofile 8192;
+pid /var/run/nginx.pid;
+error_log /var/log/nginx/error.log warn;
+
+events {
+    worker_connections 2048;
+    multi_accept on;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main_ext  '$remote_addr - $remote_user [$time_iso8601] '
+                          '"$request" $status $body_bytes_sent '
+                          '"$http_referer" "$http_user_agent" '
+                          'xff="$http_x_forwarded_for" '
+                          'rt=$request_time urt="$upstream_response_time"';
+    access_log /var/log/nginx/access.log main_ext;
+
+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+    keepalive_timeout 65;
+    server_tokens off;
+
+    # CSVs etc. – am äußeren Proxy spiegeln!
+    client_max_body_size 25M;
+    client_body_buffer_size 128k;
+    client_body_timeout 60s;
+    client_header_timeout 30s;
+
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css application/json application/javascript
+               text/xml application/xml application/xml+rss text/javascript
+               image/svg+xml;
+
+    limit_req_zone $binary_remote_addr zone=login:10m rate=5r/m;
+    limit_req_zone $binary_remote_addr zone=app:10m   rate=30r/s;
+    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
+
+    upstream django_app {
+        server web:8000 max_fails=3 fail_timeout=30s;
+        keepalive 32;
+    }
+
+    include /etc/nginx/conf.d/*.conf;
+}