From 685da0064727df27e444fe4da2be20efe96af9cd Mon Sep 17 00:00:00 2001
From: Jamil <jamilbk@users.noreply.github.com>
Date: Wed, 2 Mar 2022 08:09:31 -0800
Subject: [PATCH] Update nginx config and docs with user recs (#481)

* Update nginx config and docs with user recs

* Fix typo
---
 docs/docs/reference/configuration-file.md            |  8 ++++++--
 omnibus/cookbooks/firezone/attributes/default.rb     | 12 ++++++++++--
 omnibus/cookbooks/firezone/templates/nginx.conf.erb  |  9 +++++++++
 .../firezone/templates/phoenix.nginx.conf.erb        |  4 ++++
 4 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/docs/docs/reference/configuration-file.md b/docs/docs/reference/configuration-file.md
index 7c0987478..e8603935b 100644
--- a/docs/docs/reference/configuration-file.md
+++ b/docs/docs/reference/configuration-file.md
@@ -64,8 +64,8 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['nginx']['worker_processes']`                            | Number of nginx worker processes.                                                                            | `node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1`       |
 | `default['firezone']['nginx']['worker_connections']`                          | Max number of simultaneous connections that can be opened by a worker process.                               | `1024`                                                                 |
 | `default['firezone']['nginx']['worker_rlimit_nofile']`                        | Changes the limit on the maximum number of open files for worker processes. Uses nginx default if nil.       | `nil`                                                                  |
-| `default['firezone']['nginx']['multi_accept']`                                | Whether workers should accept one connection at a time or multiple.                                          | `false`                                                                |
-| `default['firezone']['nginx']['event']`                                       | Specifies the connection processing method to use inside nginx events context.                               | `nil`                                                                  |
+| `default['firezone']['nginx']['multi_accept']`                                | Whether workers should accept one connection at a time or multiple.                                          | `true`                                                                 |
+| `default['firezone']['nginx']['event']`                                       | Specifies the connection processing method to use inside nginx events context.                               | `'epoll'`                                                              |
 | `default['firezone']['nginx']['server_tokens']`                               | Enables or disables emitting nginx version on error pages and in the “Server” response header field.         | `nil`                                                                  |
 | `default['firezone']['nginx']['server_names_hash_bucket_size']`               | Sets the bucket size for the server names hash tables.                                                       | `64`                                                                   |
 | `default['firezone']['nginx']['sendfile']`                                    | Enables or disables the use of nginx's `sendfile()`.                                                         | `'on'`                                                                 |
@@ -78,6 +78,10 @@ Shown below is a complete listing of the configuration options available in
 | `default['firezone']['nginx']['client_body_buffer_size']`                     | nginx client body buffer size. Set to `nil` to use nginx default.                                            | `nil`                                                                  |
 | `default['firezone']['nginx']['client_max_body_size']`                        | nginx client max body size.                                                                                  | `'250m'`                                                               |
 | `default['firezone']['nginx']['default']['modules']`                          | Specify additional nginx modules.                                                                            | `[]`                                                                   |
+| `default['firezone']['nginx']['enable_rate_limiting']`                        | Enable or disable nginx rate limiting.                                                                       | `true`                                                                 |
+| `default['firezone']['nginx']['rate_limiting_zone_name']`                     | Nginx rate limiting zone name.                                                                               | `'firezone'`                                                           |
+| `default['firezone']['nginx']['rate_limiting_backoff']`                       | Nginx rate limiting backoff.                                                                                 | `'10m'`                                                                |
+| `default['firezone']['nginx']['rate_limit']`                                  | Nginx rate limit.                                                                                            | `'10r/s'`                                                              |
 | `default['firezone']['postgresql']['enabled']`                                | Enable or disable bundled Postgresql. Set to `false` and fill in the `database` options below to use your own Postgresql instance. | `true`                                           |
 | `default['firezone']['postgresql']['username']`                               | Username for Postgresql.                                                                                     | `node['firezone']['user']`                                             |
 | `default['firezone']['postgresql']['data_directory']`                         | Postgresql data directory.                                                                                   | `"#{node['firezone']['var_directory']}/postgresql/13.3/data"`          |
diff --git a/omnibus/cookbooks/firezone/attributes/default.rb b/omnibus/cookbooks/firezone/attributes/default.rb
index b06da1d63..52eb5f74b 100644
--- a/omnibus/cookbooks/firezone/attributes/default.rb
+++ b/omnibus/cookbooks/firezone/attributes/default.rb
@@ -128,8 +128,8 @@ default['firezone']['nginx']['keepalive_timeout'] = 65
 default['firezone']['nginx']['worker_processes'] = node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1
 default['firezone']['nginx']['worker_connections'] = 1024
 default['firezone']['nginx']['worker_rlimit_nofile'] = nil
-default['firezone']['nginx']['multi_accept'] = false
-default['firezone']['nginx']['event'] = nil
+default['firezone']['nginx']['multi_accept'] = true
+default['firezone']['nginx']['event'] = 'epoll'
 default['firezone']['nginx']['server_tokens'] = nil
 default['firezone']['nginx']['server_names_hash_bucket_size'] = 64
 default['firezone']['nginx']['sendfile'] = 'on'
@@ -143,6 +143,14 @@ default['firezone']['nginx']['client_body_buffer_size'] = nil
 default['firezone']['nginx']['client_max_body_size'] = '250m'
 default['firezone']['nginx']['default']['modules'] = []
 
+# Nginx rate limiting configuration.
+# Note that requests are also rate limited by the upstream Phoenix application.
+default['firezone']['nginx']['enable_rate_limiting'] = true
+default['firezone']['nginx']['rate_limiting_zone_name'] = 'firezone'
+default['firezone']['nginx']['rate_limiting_backoff'] = '10m'
+default['firezone']['nginx']['rate_limit'] = '10r/s'
+
+
 # ## Postgres
 
 # ### Use the bundled Postgres instance (default, recommended):
diff --git a/omnibus/cookbooks/firezone/templates/nginx.conf.erb b/omnibus/cookbooks/firezone/templates/nginx.conf.erb
index f02c0bf5e..b761d165b 100644
--- a/omnibus/cookbooks/firezone/templates/nginx.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/nginx.conf.erb
@@ -84,6 +84,15 @@ http {
   limit_req_zone $binary_remote_addr zone=<%= @nginx['rate_limiting_zone_name'] %>:<%= @nginx['rate_limiting_backoff'] %> rate=<%= @nginx['rate_limit'] %>;
 
   <% end -%>
+
+  # Security headers
+  add_header X-XSS-Protection        "1; mode=block" always;
+  add_header X-Content-Type-Options  "nosniff" always;
+  add_header Referrer-Policy         "no-referrer-when-downgrade" always;
+  add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always;
+  add_header Permissions-Policy      "interest-cohort=()" always;
+  add_header Cache-Control           "public, max-age=2700";
+
   include <%= @nginx['dir'] %>/conf.d/*.conf;
   include <%= @nginx['dir'] %>/sites-enabled/*;
 }
diff --git a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
index 9770a3c25..a9a8c4404 100644
--- a/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/phoenix.nginx.conf.erb
@@ -18,6 +18,10 @@ server {
   server_name <%= @fqdn %>;
 <% if @nginx['force_ssl'] -%>
   location / {
+    <% if @nginx['enable_rate_limiting'] -%>
+      limit_req zone=<%= @nginx['rate_limiting_zone_name'] %>;
+
+    <% end -%>
     if ($http_x_forwarded_proto != 'https') {
       return 301 https://$server_name$request_uri;
     }