add RPC nginx configs

templates/configs/rpcs/backend.conf

@@ -0,0 +1,38 @@
+# Define a zone for rate limiting
+limit_req_zone $binary_remote_addr zone=rpc-limt:10m rate=200r/s;
+
+map $http_upgrade $connection_upgrade {
+  default upgrade;
+  ''      close;
+}
+
+server {
+    root /var/www/html;
+    index index.html index.htm index.nginx-debian.html;
+    server_name _;
+
+    # Apply rate limiting to all locations
+    limit_req zone=rpc-limt burst=300 nodelay;
+
+    location / {
+        proxy_buffering off;
+        proxy_pass http://127.0.0.1:9944;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+    }
+
+    location /ws {
+        proxy_pass http://127.0.0.1:9944;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_http_version 1.1;
+        proxy_buffers 16 16k;
+        proxy_buffer_size 16k;
+        proxy_set_header Upgrade "$http_upgrade";
+        proxy_set_header Connection $connection_upgrade;
+        proxy_cache_bypass $http_upgrade;
+    }
+}

templates/configs/rpcs/nginx.conf

@@ -0,0 +1,108 @@
+user www-data;
+worker_processes auto;
+worker_rlimit_nofile 32000;
+pid /run/nginx.pid;
+#include /etc/nginx/modules-enabled/*.conf;
+#load_module modules/ngx_http_modsecurity_module.so;
+
+events {
+	worker_connections 4096;
+	multi_accept on;
+	use epoll;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 120;
+	send_timeout 120;
+	keepalive_requests 10000;
+	keepalive_disable none;
+	reset_timedout_connection on;
+	proxy_ignore_client_abort on;
+	client_body_timeout 120;
+	client_header_timeout 120;
+	types_hash_max_size 2048;
+	underscores_in_headers on;
+	# server_tokens off;
+
+	server_names_hash_bucket_size 128;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/json;
+
+	# Buffers
+	client_body_buffer_size 128K;
+	client_header_buffer_size 1k;
+	client_max_body_size 1m;
+	large_client_header_buffers 4 64k;
+
+	##
+	# SSL Settings
+	##
+	ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE and TLS 1.1, ref: BEAST/CRIME
+	ssl_prefer_server_ciphers on;
+	ssl_session_cache shared:SSL:20m;
+	ssl_session_timeout 10m;
+	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	# Security
+	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
+	add_header X-XSS-Protection "1; mode=block";
+	add_header X-Frame-Options "SAMEORIGIN";
+	add_header X-Content-Type-Options nosniff;
+
+
+	# Add CORS for Explorer
+	#add_header Access-Control-Allow-Origin *;
+	#add_header Access-Control-Max-Age 3600;
+	#add_header Access-Control-Expose-Headers Content-Length;
+
+
+	# Proxy settings
+	proxy_read_timeout 120;
+	proxy_connect_timeout 75;
+	proxy_send_timeout 120;
+	proxy_intercept_errors on;
+
+	##
+	# Logging Settings
+	##
+
+	log_format compression '$remote_addr - [$time_local] $request $status $body_bytes_sent $http_referer $http_user_agent $gzip_ratio';
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	gzip_vary on;
+	gzip_proxied expired no-cache no-store private auth;
+	gzip_comp_level 2;
+	gzip_buffers 16 8k;
+	gzip_http_version 1.1;
+	gzip_min_length 256;
+	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/backend.conf;
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}