diff --git a/.gitignore b/.gitignore index d8f17863..3c9a209d 100644 --- a/.gitignore +++ b/.gitignore @@ -34,6 +34,7 @@ **/fluxer.env **/secrets.env /dev/fluxer.env +/dev/secret.txt # Logs, temporary files, and binaries **/*.beam diff --git a/dev/Caddyfile.dev b/dev/Caddyfile.dev index 327e9b62..dd5d5153 100644 --- a/dev/Caddyfile.dev +++ b/dev/Caddyfile.dev @@ -1,59 +1,91 @@ :8088 { encode zstd gzip + # Security headers + header { + # HSTS + Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" + # Prevent clickjacking + X-Frame-Options "SAMEORIGIN" + # XSS protection + X-Content-Type-Options "nosniff" + # Referrer policy + Referrer-Policy "strict-origin-when-cross-origin" + # Remove server info + -Server + } + @api path /api/* handle @api { handle_path /api/* { - reverse_proxy api:8080 + reverse_proxy api:8080 { + header_up X-Forwarded-For {remote} + } } } @media path /media/* handle @media { handle_path /media/* { - reverse_proxy media:8080 + reverse_proxy media:8080 { + header_up X-Forwarded-For {remote} + } } } @s3 path /s3/* handle @s3 { handle_path /s3/* { - reverse_proxy minio:9000 + reverse_proxy minio:9000 { + header_up X-Forwarded-For {remote} + } } } @admin path /admin /admin/* handle @admin { uri strip_prefix /admin - reverse_proxy admin:8080 + reverse_proxy admin:8080 { + header_up X-Forwarded-For {remote} + } } @marketing path /marketing /marketing/* handle @marketing { uri strip_prefix /marketing - reverse_proxy marketing:8080 + reverse_proxy marketing:8080 { + header_up X-Forwarded-For {remote} + } } @gateway path /gateway /gateway/* handle @gateway { uri strip_prefix /gateway - reverse_proxy gateway:8080 + reverse_proxy gateway:8080 { + header_up X-Forwarded-For {remote} + } } @livekit path /livekit /livekit/* handle @livekit { handle_path /livekit/* { - reverse_proxy livekit:7880 + reverse_proxy livekit:7880 { + header_up X-Forwarded-For {remote} + } } } @metrics path /metrics /metrics/* handle @metrics { uri strip_prefix /metrics - reverse_proxy metrics:8080 + reverse_proxy metrics:8080 { + header_up X-Forwarded-For {remote} + } } handle { - reverse_proxy host.docker.internal:3000 + root * /app/dist + try_files {path} /index.html + file_server } } diff --git a/dev/compose.yaml b/dev/compose.yaml index a6674672..1500b346 100644 --- a/dev/compose.yaml +++ b/dev/compose.yaml @@ -95,6 +95,7 @@ services: - PORT=8080 - APP_MODE=admin - FLUXER_METRICS_HOST=metrics:8080 + - FLUXER_API_PUBLIC_ENDPOINT=http://api:8080 volumes: - admin_build:/workspace/build networks: diff --git a/fluxer_api/src/rate_limit_configs/AuthRateLimitConfig.ts b/fluxer_api/src/rate_limit_configs/AuthRateLimitConfig.ts index 6a070c3c..c3dd3fa9 100644 --- a/fluxer_api/src/rate_limit_configs/AuthRateLimitConfig.ts +++ b/fluxer_api/src/rate_limit_configs/AuthRateLimitConfig.ts @@ -22,12 +22,12 @@ import type {RouteRateLimitConfig} from '~/middleware/RateLimitMiddleware'; export const AuthRateLimitConfigs = { AUTH_REGISTER: { bucket: 'auth:register', - config: {limit: 10, windowMs: 10000}, + config: {limit: 50, windowMs: 60000}, } as RouteRateLimitConfig, AUTH_LOGIN: { bucket: 'auth:login', - config: {limit: 10, windowMs: 10000}, + config: {limit: 50, windowMs: 60000}, } as RouteRateLimitConfig, AUTH_LOGIN_MFA: { diff --git a/fluxer_app/rspack.config.mjs b/fluxer_app/rspack.config.mjs index 4c519038..556f6d05 100644 --- a/fluxer_app/rspack.config.mjs +++ b/fluxer_app/rspack.config.mjs @@ -33,7 +33,7 @@ const DIST_DIR = path.join(ROOT_DIR, 'dist'); const PKGS_DIR = path.join(ROOT_DIR, 'pkgs'); const PUBLIC_DIR = path.join(ROOT_DIR, 'assets'); -const CDN_ENDPOINT = 'https://fluxerstatic.com'; +const CDN_ENDPOINT = process.env.CDN_ENDPOINT || ''; const isProduction = process.env.NODE_ENV === 'production'; const isDevelopment = !isProduction;