From e0aa4b24f5db1b8f3154dbfb7a49c48031f2f74c Mon Sep 17 00:00:00 2001
From: Ryan Elliott <ryanwinstonelliott@gmail.com>
Date: Thu, 19 Jun 2025 08:50:35 +0700
Subject: [PATCH] Re-add nginx security fix for Issue #139 after rebase

---
 security-fixes/nginx/404.html            | 56 ++++++++++++++
 security-fixes/nginx/README.md           | 64 ++++++++++++++++
 security-fixes/nginx/deploy-nginx-fix.sh | 43 +++++++++++
 security-fixes/nginx/rt.aixblock.io.conf | 96 ++++++++++++++++++++++++
 4 files changed, 259 insertions(+)
 create mode 100644 security-fixes/nginx/404.html
 create mode 100644 security-fixes/nginx/README.md
 create mode 100644 security-fixes/nginx/deploy-nginx-fix.sh
 create mode 100644 security-fixes/nginx/rt.aixblock.io.conf

diff --git a/security-fixes/nginx/404.html b/security-fixes/nginx/404.html
new file mode 100644
index 00000000..33b10e8a
--- /dev/null
+++ b/security-fixes/nginx/404.html
@@ -0,0 +1,56 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Page Not Found - AIxBlock</title>
+    <style>
+        body {
+            font-family: 'Segoe UI', Tahoma, Geneva, Verdana, sans-serif;
+            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            margin: 0;
+            padding: 0;
+            display: flex;
+            justify-content: center;
+            align-items: center;
+            min-height: 100vh;
+            color: white;
+        }
+        .container {
+            text-align: center;
+            background: rgba(255, 255, 255, 0.1);
+            padding: 2rem;
+            border-radius: 10px;
+            backdrop-filter: blur(10px);
+            box-shadow: 0 8px 32px rgba(0, 0, 0, 0.1);
+        }
+        h1 {
+            font-size: 3rem;
+            margin-bottom: 1rem;
+        }
+        p {
+            font-size: 1.2rem;
+            margin-bottom: 2rem;
+        }
+        .btn {
+            display: inline-block;
+            padding: 12px 24px;
+            background: rgba(255, 255, 255, 0.2);
+            color: white;
+            text-decoration: none;
+            border-radius: 5px;
+            transition: background 0.3s ease;
+        }
+        .btn:hover {
+            background: rgba(255, 255, 255, 0.3);
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <h1>404</h1>
+        <p>The page you're looking for doesn't exist.</p>
+        <a href="https://app.aixblock.io" class="btn">Go to AIxBlock</a>
+    </div>
+</body>
+</html> 
\ No newline at end of file
diff --git a/security-fixes/nginx/README.md b/security-fixes/nginx/README.md
new file mode 100644
index 00000000..e7534cc0
--- /dev/null
+++ b/security-fixes/nginx/README.md
@@ -0,0 +1,64 @@
+# 🔧 Nginx Infrastructure Exposure Fix - Issue #139
+
+## Overview
+
+This fix addresses the critical infrastructure exposure vulnerability reported in Issue #139, where `rt.aixblock.io` was exposing a default nginx welcome page.
+
+## Files Included
+
+- `rt.aixblock.io.conf` - Main nginx configuration fix
+- `404.html` - Custom error page
+- `deploy-nginx-fix.sh` - Deployment script
+- `README.md` - This documentation
+
+## Security Improvements
+
+### ✅ Information Disclosure Eliminated
+- Default nginx page removed
+- Server information hidden
+- Infrastructure fingerprinting prevented
+
+### ✅ Attack Surface Reduced
+- No reconnaissance data exposed
+- Version information concealed
+- Configuration status hidden
+
+### ✅ Security Posture Enhanced
+- Proper security headers implemented
+- Custom error pages deployed
+- Monitoring capabilities added
+
+## Deployment
+
+1. **Backup current configuration**
+2. **Deploy new nginx configuration**
+3. **Create custom error pages**
+4. **Test configuration syntax**
+5. **Reload nginx service**
+6. **Verify fix implementation**
+
+## Verification
+
+```bash
+# Verify default page is removed
+curl -s "https://rt.aixblock.io/" | grep -i "welcome to nginx" || echo "✅ Fixed"
+
+# Verify 404 response
+curl -I "https://rt.aixblock.io/" | grep "404" || echo "✅ 404 response confirmed"
+
+# Verify security headers
+curl -I "https://rt.aixblock.io/" | grep -E "(X-Frame-Options|X-Content-Type-Options|X-XSS-Protection)" || echo "✅ Security headers present"
+```
+
+## Impact
+
+- **Eliminates infrastructure reconnaissance vector**
+- **Prevents information disclosure**
+- **Enhances security posture**
+- **Maintains existing functionality**
+
+## References
+
+- Fixes Issue #139
+- Follows nginx security best practices
+- Implements OWASP security recommendations 
\ No newline at end of file
diff --git a/security-fixes/nginx/deploy-nginx-fix.sh b/security-fixes/nginx/deploy-nginx-fix.sh
new file mode 100644
index 00000000..481dbdfa
--- /dev/null
+++ b/security-fixes/nginx/deploy-nginx-fix.sh
@@ -0,0 +1,43 @@
+#!/bin/bash
+
+# AIxBlock Nginx Fix Deployment Script
+# Fix for Issue #139 - Infrastructure Exposure
+
+set -e
+
+echo "🔧 Deploying Nginx Fix for Issue #139..."
+
+# Backup current configuration
+echo "📦 Creating backup..."
+sudo cp /etc/nginx/sites-available/rt.aixblock.io /etc/nginx/sites-available/rt.aixblock.io.backup.$(date +%Y%m%d_%H%M%S)
+
+# Deploy new configuration
+echo "🚀 Deploying new configuration..."
+sudo cp security-fixes/nginx/rt.aixblock.io.conf /etc/nginx/sites-available/rt.aixblock.io
+
+# Create custom error page
+echo "📄 Creating custom error page..."
+sudo mkdir -p /var/www/html
+sudo cp security-fixes/nginx/404.html /var/www/html/
+
+# Test nginx configuration
+echo "🧪 Testing nginx configuration..."
+sudo nginx -t
+
+if [ $? -eq 0 ]; then
+    echo "✅ Configuration test passed!"
+    
+    # Reload nginx
+    echo "🔄 Reloading nginx..."
+    sudo systemctl reload nginx
+    
+    echo "🎉 Fix deployed successfully!"
+    echo "📊 Verification commands:"
+    echo "  curl -I https://rt.aixblock.io/"
+    echo "  curl -s https://rt.aixblock.io/ | head -5"
+else
+    echo "❌ Configuration test failed!"
+    echo "🔙 Rolling back to backup..."
+    sudo cp /etc/nginx/sites-available/rt.aixblock.io.backup.* /etc/nginx/sites-available/rt.aixblock.io
+    exit 1
+fi 
\ No newline at end of file
diff --git a/security-fixes/nginx/rt.aixblock.io.conf b/security-fixes/nginx/rt.aixblock.io.conf
new file mode 100644
index 00000000..d66256d9
--- /dev/null
+++ b/security-fixes/nginx/rt.aixblock.io.conf
@@ -0,0 +1,96 @@
+# AIxBlock Real-time Server Configuration
+# Fix for Issue #139 - Infrastructure Exposure
+
+server {
+    listen 80;
+    server_name rt.aixblock.io;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name rt.aixblock.io;
+    
+    # SSL Configuration
+    ssl_certificate /etc/letsencrypt/live/rt.aixblock.io/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/rt.aixblock.io/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    
+    # Security Headers
+    add_header X-Frame-Options DENY always;
+    add_header X-Content-Type-Options nosniff always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';" always;
+    
+    # Hide Server Information
+    server_tokens off;
+    
+    # Remove Default Nginx Page - FIX FOR ISSUE #139
+    location / {
+        # Option 1: Return 404 for root path
+        return 404;
+        
+        # Option 2: Redirect to main application
+        # return 301 https://app.aixblock.io;
+        
+        # Option 3: Serve custom error page
+        # try_files /custom-404.html =404;
+    }
+    
+    # Centrifugo WebSocket Configuration (if needed)
+    location /centrifugo/ {
+        # Only allow WebSocket connections
+        if ($http_upgrade != "websocket") {
+            return 404;
+        }
+        
+        # Proxy to Centrifugo backend
+        proxy_pass http://127.0.0.1:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # WebSocket specific settings
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+    }
+    
+    # Custom Error Pages
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /50x.html;
+    
+    location = /404.html {
+        root /var/www/html;
+        internal;
+    }
+    
+    location = /50x.html {
+        root /var/www/html;
+        internal;
+    }
+    
+    # Security: Block access to hidden files
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    
+    # Security: Block access to backup files
+    location ~ ~$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+    
+    # Logging
+    access_log /var/log/nginx/rt.aixblock.io.access.log;
+    error_log /var/log/nginx/rt.aixblock.io.error.log;
+} 
\ No newline at end of file