# CapaKraken nginx Security Hardening
# Apply to the server block for capakraken.hartmut-noerenberg.com
#
# References:
#   - EAPPS 3.3.1.3.04 (Server Header entfernen)
#   - EAPPS 3.3.1.4.01 (Server Hardening)
#   - EAPPS 3.2.2.3.08 (Company Firewall)
#   - EAPPS 3.3.1.12.02 (API Rate Limiting — backup layer)

# ---------- General Hardening ----------

# Remove server version from response headers
server_tokens off;

# Remove X-Powered-By (backup — Next.js also strips this)
proxy_hide_header X-Powered-By;

# Security headers (backup — also set in Next.js next.config.ts)
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;

# ---------- Rate Limiting ----------

# Define rate limiting zones (place in http {} block)
# limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
# limit_req_zone $binary_remote_addr zone=auth:10m rate=1r/s;

# Auth endpoints — strict rate limiting (1 req/s, burst 5)
location /api/auth/ {
    limit_req zone=auth burst=5 nodelay;
    proxy_pass http://127.0.0.1:3100;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

# API endpoints — moderate rate limiting (10 req/s, burst 20)
location /api/ {
    limit_req zone=api burst=20 nodelay;
    proxy_pass http://127.0.0.1:3100;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

# SSE endpoint — no rate limit, but long-lived connection
location /api/sse/ {
    proxy_pass http://127.0.0.1:3100;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_buffering off;
    proxy_cache off;
    proxy_read_timeout 86400s;
}

# Default location — proxy to Next.js
location / {
    proxy_pass http://127.0.0.1:3100;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

# ---------- SSL Hardening ----------

# Only allow TLS 1.2 and 1.3
ssl_protocols TLSv1.2 TLSv1.3;

# Modern cipher suite (no CBC, no RC4, no 3DES)
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;

# Session resumption
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;

# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;

# HSTS (also set by Next.js, but nginx ensures it on all responses incl. redirects)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

# ---------- Request Size Limits ----------

# Limit upload size (matches Next.js 10MB limit)
client_max_body_size 10m;

# ---------- Deny Access to Hidden Files ----------

location ~ /\. {
    deny all;
    return 404;
}

# ---------- Logging ----------

# Use combined format with request time for monitoring
log_format security '$remote_addr - $remote_user [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" '
                    '$request_time $upstream_response_time';

access_log /var/log/nginx/capakraken_access.log security;
error_log /var/log/nginx/capakraken_error.log warn;