Nginx Configuration
Nginx acts as the single entry point for all traffic to the eTeamups Platform. It handles reverse proxying, SSL termination, request routing, rate limiting, security headers, and media upload handling.
Configuration Files
| File | Purpose |
|---|---|
nginx/nginx.conf |
Production configuration |
nginx/nginx.local.conf |
Local development configuration |
Upstream Blocks
Each backend service is defined as an upstream block in the Nginx configuration:
upstream auth_backend {
server auth-service:9000;
}
upstream profile_backend {
server profile-service:9100;
}
upstream organisation_backend {
server organisation-service:9107;
}
upstream media_backend {
server media-service:9102;
}
upstream admin_portal {
server admin-portal:9103;
}
upstream zeswa_hub {
server zeswa-hub:4000;
}
Within Docker Compose, services are referenced by their container name. Nginx resolves these names using Docker’s internal DNS.
Route Mapping
Incoming requests are routed to the appropriate upstream based on the URL path:
| Route Pattern | Upstream | Service |
|---|---|---|
/api/v1/auth/* |
auth_backend |
Auth Service |
/api/v1/profile/* |
profile_backend |
Profile Service |
/api/v1/organisation/* |
organisation_backend |
Organisation Service |
/api/v1/media/* |
media_backend |
Media Service |
/admin/* |
admin_portal |
Admin Portal |
/ |
zeswa_hub |
Zeswa Hub |
SSL Configuration
Certificates
SSL certificates are stored in the nginx/ssl/ directory:
nginx/ssl/
fullchain.pem # Full certificate chain
privkey.pem # Private key
Ports
| Port | Protocol | Purpose |
|---|---|---|
| 80 | HTTP | Redirects all traffic to HTTPS |
| 443 | HTTPS | Production HTTPS traffic |
| 18443 | HTTPS | Local development HTTPS |
HTTP to HTTPS Redirect
All HTTP requests on port 80 are permanently redirected to HTTPS:
server {
listen 80;
return 301 https://$host$request_uri;
}
Security Features
Rate Limiting
Rate limiting is applied to protect against abuse and brute-force attacks:
| Zone | Rate | Applied To |
|---|---|---|
| General | 10 r/s | All endpoints |
| Auth | 5 r/s | /api/v1/auth/* routes |
The stricter rate limit on authentication endpoints helps prevent credential stuffing and brute-force login attempts.
Request Body Size Limit
A global client_max_body_size directive limits the maximum allowed request body size. The media upload endpoint has a separate, larger limit to accommodate file uploads (see the Media Upload section below).
Security Headers
The following headers are added to all responses:
| Header | Value | Purpose |
|---|---|---|
X-Frame-Options |
DENY or SAMEORIGIN |
Prevents clickjacking |
X-Content-Type-Options |
nosniff |
Prevents MIME type sniffing |
X-XSS-Protection |
1; mode=block |
Enables browser XSS filtering |
Strict-Transport-Security |
max-age=... |
Enforces HTTPS for future requests |
CORS Headers
Cross-Origin Resource Sharing headers are configured to allow requests from approved origins. The allowed origins should match the CORS_ORIGIN values set in the environment configuration.
Logging
Log Formats
Nginx is configured with four log formats for different use cases:
| Format | Description |
|---|---|
| Standard | Default combined log format |
| Detailed | Includes upstream response times and request duration |
| JSON | Structured JSON output for log aggregation tools |
| Security | Includes request body for auditing sensitive endpoints |
Per-Service Log Files
Each upstream service has its own log file for easier debugging and monitoring:
| Log File | Service |
|---|---|
logs/auth.log |
Auth Service |
logs/profile.log |
Profile Service |
logs/organisation.log |
Organisation Service |
logs/media.log |
Media Service |
logs/security.log |
Security audit log |
General access and error logs are also maintained.
Log Rotation
Log rotation is configured separately via scripts/setup-log-rotation.sh. This script sets up logrotate rules to prevent log files from consuming excessive disk space.
Health Check Endpoint
Nginx exposes a health check endpoint that returns a simple response to confirm the proxy is running:
GET /health
Returns the text healthy with a 200 status code. This endpoint does not proxy to any backend service and is handled directly by Nginx.
Media Upload Handling
The media upload route has a dedicated location block with an increased request body size limit to support large file uploads:
location /api/v1/media/upload {
client_max_body_size 50m; # Or configured limit
proxy_pass http://media_backend;
}
This override ensures that file uploads are not rejected by the default body size limit while keeping the global limit restrictive for all other endpoints.