TL;DR

  • Only the main gateway exposes 80/443.
  • Internal ports are loopback-only.
  • TLS is hardened and logs are split by status.
  • Rate limits and health endpoints are in place.

Controls in Place

Port exposure and isolation

  • Test-proxy on 127.0.0.1:7777.
  • Sidecar on 127.0.0.1:2001.
  • External access only via main gateway on 80/443.

Gateway hardening

  • Default HTTP: return 444.
  • Default HTTPS: ssl_reject_handshake on.
  • TLS 1.2/1.3 only, hardened ciphers, HSTS after validation.

Request limiting and logging

  • limit_conn_zone and limit_req_zone active in test-proxy.
  • Single log_format main and split access logs by status class.

Real client IP handling

  • Use real_ip_header X-Forwarded-For with trusted upstream CIDRs only.

Health endpoints

  • /__nginx_ok, /__gw_ok, /__app_ok return 200.

ACME and certificates

  • ACME on HTTP, wildcard support where needed.
  • Private keys should be locked down to proxy user.

SSH/Git hardening

  • Shared SSH agent socket with strict permissions.
  • Global known_hosts and IdentitiesOnly=yes.

Open Follow-ups

  • Enable OCSP stapling at the gateway.
  • Apply security headers globally.
  • Review private key permissions under /etc/letsencrypt/live/*.