Waygate MCP

# nginx.conf - Security-hardened Nginx configuration for Waygate MCP user nginx; worker_processes auto; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; # Security: Limit worker connections events { worker_connections 1024; use epoll; multi_accept on; } http { include /etc/nginx/mime.types; default_type application/octet-stream; # Security: Hide nginx version server_tokens off; # Security: Logging format with security info log_format security '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" ' '$ssl_protocol/$ssl_cipher'; access_log /var/log/nginx/access.log security; # Performance optimizations sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # Security: Timeouts to prevent slowloris attacks client_body_timeout 10; client_header_timeout 10; send_timeout 10; # Security: Size limits client_body_buffer_size 1K; client_header_buffer_size 1k; client_max_body_size 10M; large_client_header_buffers 2 1k; # Security: SSL Configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384'; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; # Security: Headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; # Gzip compression gzip on; gzip_vary on; gzip_min_length 1024; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # Rate limiting zones limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; limit_req_zone $binary_remote_addr zone=general_limit:10m rate=30r/s; limit_conn_zone $binary_remote_addr zone=conn_limit:10m; # Upstream configuration for Waygate MCP upstream waygate_backend { least_conn; server waygate:8000 max_fails=3 fail_timeout=30s; keepalive 32; } # HTTP to HTTPS redirect server { listen 80; listen [::]:80; server_name _; # Security: Redirect all HTTP to HTTPS return 301 https://$host$request_uri; } # HTTPS server server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name localhost; # Change to your domain # SSL certificates (generate with certbot or your CA) ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # Security: Limit connections limit_conn conn_limit 10; # Logs access_log /var/log/nginx/waygate.access.log security; error_log /var/log/nginx/waygate.error.log warn; # Health check endpoint (no rate limiting) location /health { proxy_pass http://waygate_backend; proxy_http_version 1.1; proxy_set_header Connection ""; access_log off; } # Metrics endpoint (restricted access) location /metrics { # Security: Restrict to internal networks allow 127.0.0.1; allow 10.0.0.0/8; allow 172.16.0.0/12; allow 192.168.0.0/16; deny all; proxy_pass http://waygate_backend; proxy_http_version 1.1; proxy_set_header Connection ""; } # API endpoints with rate limiting location /mcp/ { # Security: Rate limiting limit_req zone=api_limit burst=20 nodelay; limit_req_status 429; # CORS headers for API add_header Access-Control-Allow-Origin $http_origin always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type, X-API-Key" always; add_header Access-Control-Max-Age 86400 always; if ($request_method = OPTIONS) { return 204; } proxy_pass http://waygate_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Request-ID $request_id; # Timeouts proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; # Buffering proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; } # Documentation (if enabled) location /docs { # Security: Restrict to internal networks in production # allow 127.0.0.1; # allow 10.0.0.0/8; # deny all; proxy_pass http://waygate_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; } # Main application location / { # Security: General rate limiting limit_req zone=general_limit burst=50 nodelay; proxy_pass http://waygate_backend; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # WebSocket support proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; # Timeouts proxy_connect_timeout 30s; proxy_send_timeout 30s; proxy_read_timeout 30s; } # Security: Deny access to hidden files location ~ /\. { deny all; access_log off; log_not_found off; } # Security: Deny access to backup files location ~ ~$ { deny all; access_log off; log_not_found off; } # Custom error pages error_page 400 401 402 403 404 /40x.html; error_page 500 502 503 504 /50x.html; location = /40x.html { root /usr/share/nginx/html; internal; } location = /50x.html { root /usr/share/nginx/html; internal; } } }