v0.3.0 - Complete deployment documentation and examples - Added comprehensive deployment guide, automated deployment scripts, nginx SSL proxy setup, backup automation, and monitoring tools. Includes VPS deployment, cloud platform guides, and practical examples for production deployment of event-based configuration system.

2025-09-06 20:19:12 -04:00
parent a02c1204ce
commit c1de1bb480
39 changed files with 6109 additions and 2452 deletions
--- a/examples/deployment/nginx-proxy/nginx.conf
+++ b/examples/deployment/nginx-proxy/nginx.conf
@@ -0,0 +1,168 @@
+# Nginx Configuration for C Nostr Relay
+# Complete nginx.conf for reverse proxy setup with SSL
+
+user nginx;
+worker_processes auto;
+error_log /var/log/nginx/error.log warn;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections 1024;
+    use epoll;
+    multi_accept on;
+}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
+
+    # Logging format
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+                    '$status $body_bytes_sent "$http_referer" '
+                    '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log /var/log/nginx/access.log main;
+
+    # Basic settings
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    server_tokens off;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types
+        text/plain
+        text/css
+        text/xml
+        text/javascript
+        application/json
+        application/javascript
+        application/xml+rss
+        application/atom+xml;
+
+    # Rate limiting
+    limit_req_zone $remote_addr zone=relay:10m rate=10r/s;
+    
+    # Map WebSocket upgrade
+    map $http_upgrade $connection_upgrade {
+        default upgrade;
+        '' close;
+    }
+
+    # Upstream for the relay
+    upstream c_relay_backend {
+        server 127.0.0.1:8888;
+        keepalive 32;
+    }
+
+    # HTTP Server (redirect to HTTPS)
+    server {
+        listen 80;
+        server_name relay.yourdomain.com;
+        
+        # Redirect all HTTP to HTTPS
+        return 301 https://$server_name$request_uri;
+    }
+
+    # HTTPS Server
+    server {
+        listen 443 ssl http2;
+        server_name relay.yourdomain.com;
+
+        # SSL Configuration
+        ssl_certificate /etc/letsencrypt/live/relay.yourdomain.com/fullchain.pem;
+        ssl_certificate_key /etc/letsencrypt/live/relay.yourdomain.com/privkey.pem;
+        
+        # SSL Security Settings
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
+        ssl_prefer_server_ciphers off;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_session_tickets off;
+        
+        # OCSP Stapling
+        ssl_stapling on;
+        ssl_stapling_verify on;
+        ssl_trusted_certificate /etc/letsencrypt/live/relay.yourdomain.com/chain.pem;
+        resolver 8.8.8.8 8.8.4.4 valid=300s;
+        resolver_timeout 5s;
+
+        # Security Headers
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "DENY" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+        add_header Referrer-Policy "no-referrer-when-downgrade" always;
+        add_header Content-Security-Policy "default-src 'self'; connect-src 'self' wss://relay.yourdomain.com; script-src 'self'; style-src 'self' 'unsafe-inline';" always;
+
+        # Rate limiting
+        limit_req zone=relay burst=20 nodelay;
+
+        # Main proxy location for WebSocket and HTTP
+        location / {
+            # Proxy settings
+            proxy_pass http://c_relay_backend;
+            proxy_http_version 1.1;
+            proxy_cache_bypass $http_upgrade;
+
+            # Headers
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-Host $server_name;
+
+            # WebSocket support
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+
+            # Timeouts for WebSocket connections
+            proxy_read_timeout 86400s;
+            proxy_send_timeout 86400s;
+            proxy_connect_timeout 60s;
+
+            # Buffer settings
+            proxy_buffering off;
+            proxy_request_buffering off;
+
+            # Error handling
+            proxy_intercept_errors on;
+            error_page 502 503 504 /50x.html;
+        }
+
+        # Error pages
+        location = /50x.html {
+            root /usr/share/nginx/html;
+        }
+
+        # Health check endpoint (if implemented)
+        location /health {
+            proxy_pass http://c_relay_backend/health;
+            access_log off;
+        }
+
+        # Deny access to hidden files
+        location ~ /\. {
+            deny all;
+            access_log off;
+            log_not_found off;
+        }
+
+        # Optional: Metrics endpoint (if implemented)
+        location /metrics {
+            proxy_pass http://c_relay_backend/metrics;
+            # Restrict access to monitoring systems
+            allow 10.0.0.0/8;
+            allow 172.16.0.0/12;
+            allow 192.168.0.0/16;
+            deny all;
+        }
+    }
+}