hopeseekr · March 29, 2025 15:49 · hopeseekr · Mar 29, 2025
diff --git a/001-calibre-web.conf b/001-calibre-web.conf
 # Prequiste: For security, set Calibre to listen to 127.0.0.4:8383:
 # Admin -> Basic Configuration -> Server Settings: Server port 8383.
 # Then edit `/etc/systemd/system/multi-user.target.wants/calibre-web.service`:
 # Change to `ExecStart=/usr/lib/calibre-web/cps.py -i 127.0.0.4`.
 # sudo systemctl daemon-reload
 # sudo systemctl restart calibre-web

 server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name read.your.site;

    # SSL Configuration
    ssl_certificate /etc/letsencrypt/live/read.your.site/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/read.your.site/privkey.pem; # managed by Certbot
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;

    # Logging
    access_log /var/log/nginx/read.your.site.log;
    error_log /var/log/nginx/read.your.site.error.log;

    # Common proxy settings
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;

    location / {
        proxy_pass http://127.0.0.4:8383;
    }

    # Special configuration for upload endpoint
    location ~ /(upload|book/add|upload-new) {
        # Increased body size limit specifically for book uploads
        client_max_body_size 200m;
        
        # SECURITY NOTE: Limiting large uploads to only the necessary routes
        # helps prevent resource exhaustion DoS attacks. This mitigates the risk
        # of attackers consuming server memory, network bandwidth, and disk space
        # by uploading large files to arbitrary endpoints. When large uploads are
        # only permitted on specific, monitored routes, the attack surface for 
        # resource-based DoS attacks is significantly reduced.
        
        proxy_pass http://127.0.0.1:8383;
    }
 }
	# Prequiste: For security, set Calibre to listen to 127.0.0.4:8383:
	# Admin -> Basic Configuration -> Server Settings: Server port 8383.
	# Then edit `/etc/systemd/system/multi-user.target.wants/calibre-web.service`:
	# Change to `ExecStart=/usr/lib/calibre-web/cps.py -i 127.0.0.4`.
	# sudo systemctl daemon-reload
	# sudo systemctl restart calibre-web

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name read.your.site;

	# SSL Configuration
	ssl_certificate /etc/letsencrypt/live/read.your.site/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/read.your.site/privkey.pem; # managed by Certbot
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;

	# Logging
	access_log /var/log/nginx/read.your.site.log;
	error_log /var/log/nginx/read.your.site.error.log;

	# Common proxy settings
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_connect_timeout 300s;
	proxy_send_timeout 300s;
	proxy_read_timeout 300s;

	location / {
	proxy_pass http://127.0.0.4:8383;
	}

	# Special configuration for upload endpoint
	location ~ /(upload\|book/add\|upload-new) {
	# Increased body size limit specifically for book uploads
	client_max_body_size 200m;

	# SECURITY NOTE: Limiting large uploads to only the necessary routes
	# helps prevent resource exhaustion DoS attacks. This mitigates the risk
	# of attackers consuming server memory, network bandwidth, and disk space
	# by uploading large files to arbitrary endpoints. When large uploads are
	# only permitted on specific, monitored routes, the attack surface for
	# resource-based DoS attacks is significantly reduced.

	proxy_pass http://127.0.0.1:8383;
	}
	}