ivpn · MaciejTe · Jun 1, 2026 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
@@ -0,0 +1,59 @@
+name: Nginx Config
+
+# Validates app/nginx.conf via scripts/validate-nginx.sh (single source of truth,
+# also run locally). `nginx -t` syntax errors block; gixy security findings are
+# advisory (surfaced as a warning), mirroring the Trivy pattern in docker.yml.
+
+on:
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Optional reason for manual run'
+        required: false
+        default: 'manual trigger'
+  push:
+    branches: ["main", "develop", "release/*"]
+    paths:
+      - 'app/nginx.conf'
+      - 'app/Dockerfile'          # script auto-detects the pinned nginx image from here
+      - 'scripts/validate-nginx.sh'
+      - '.github/workflows/nginx.yml'
+  pull_request:
+    branches: ["main", "develop", "release/*"]
+    paths:
+      - 'app/nginx.conf'
+      - 'app/Dockerfile'
+      - 'scripts/validate-nginx.sh'
+      - '.github/workflows/nginx.yml'
+
+permissions: read-all
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      # validate-nginx.sh exit codes:
+      #   0 ok | 1 syntax fail | 2 missing prereq | 3 gixy findings | 4 gixy could not run
+      # We block on syntax/prereq (1/2) and on gixy failing to run (4 — a scan that
+      # never executed must not pass silently). Only real gixy findings (3) are
+      # downgraded to an advisory warning, mirroring docker.yml's Trivy pattern.
+      - name: Validate nginx config (syntax blocking, gixy advisory)
+        run: |
+          set +e
+          ./scripts/validate-nginx.sh
+          code=$?
+          set -e
+          case "${code}" in
+            0) echo "nginx config valid and clean" ;;
+            3) echo "::warning title=gixy::nginx security findings (advisory) — see log above" ;;
+            4) echo "::error title=gixy::gixy could not run — scan did not execute"; exit 1 ;;
+            *) exit "${code}" ;;
+          esac
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ blocklists/.env
 libs/vendor
 tests/docker_logs
 .qodo
+.nginx-validate.*
diff --git a/api/api/server.go b/api/api/server.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/compress"
 	"github.com/gofiber/fiber/v2/middleware/healthcheck"
 	"github.com/gofiber/fiber/v2/middleware/helmet"
 	"github.com/gofiber/fiber/v2/middleware/limiter"
@@ -69,6 +70,7 @@ func NewServer(config *config.Config, service service.Service, db db.Db, cache c
 func (s *APIServer) setupMiddlewares() {
 	s.App.Use(middleware.SentryFiber())
 	s.App.Use(middleware.Recover())
+	s.App.Use(compress.New(compress.Config{Level: compress.LevelBestSpeed}))
 	s.App.Use(requestid.New())
 	s.App.Use(logger.New(logger.Config{
 		Next: func(c *fiber.Ctx) bool {

diff --git a/api/db/mongodb/migrations/018_profiles_account_id_index.down.json b/api/db/mongodb/migrations/018_profiles_account_id_index.down.json
@@ -0,0 +1,6 @@
+[
+    {
+      "dropIndexes": "profiles",
+      "index": "account_id"
+    }
+]
diff --git a/api/db/mongodb/migrations/018_profiles_account_id_index.up.json b/api/db/mongodb/migrations/018_profiles_account_id_index.up.json
@@ -0,0 +1,12 @@
+[{
+  "createIndexes": "profiles",
+  "indexes": [
+    {
+      "key": {
+        "account_id": 1
+      },
+      "name": "account_id",
+      "background": true
+    }
+  ]
+}]
diff --git a/api/docs/docs.go b/api/docs/docs.go
@@ -2553,9 +2553,6 @@ const docTemplate = `{
                     "items": {
                         "type": "string"
                     }
-                },
-                "queries": {
-                    "type": "integer"
                 }
             }
         },

diff --git a/api/docs/swagger.json b/api/docs/swagger.json
@@ -2545,9 +2545,6 @@
                     "items": {
                         "type": "string"
                     }
-                },
-                "queries": {
-                    "type": "integer"
                 }
             }
         },

diff --git a/api/docs/swagger.yaml b/api/docs/swagger.yaml
@@ -104,8 +104,6 @@ definitions:
         items:
           type: string
         type: array
-      queries:
-        type: integer
     type: object
   model.AccountUpdate:
     properties:

diff --git a/api/mocks/account_servicer.go b/api/mocks/account_servicer.go
diff --git a/api/mocks/servicer.go b/api/mocks/servicer.go
diff --git a/api/model/account.go b/api/model/account.go
@@ -10,10 +10,6 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )
 
-const (
-	QUERIES_NUMBER_LIMIT = 300000
-)
-
 const (
 	AuthMethodPassword = "password"
 	AuthMethodPasskey  = "passkey"
@@ -29,7 +25,6 @@ type Account struct {
 	Tokens              []Token            `json:"-" bson:"tokens"`
 	Password            *string            `json:"-" bson:"password,omitempty"`
 	Profiles            []string           `json:"profiles" bson:"profiles"`
-	Queries             int                `json:"queries" bson:"-"`
 	ErrorReportsConsent bool               `json:"error_reports_consent" bson:"error_reports_consent"`
 	MFA                 MFASettings        `json:"mfa" bson:"mfa"`
 	AuthMethods         []string           `json:"auth_methods,omitempty" bson:"-"`
@@ -70,10 +65,6 @@ func NewAccount(email, password, accountId, profileId string) (*Account, error)
 	return acc, nil
 }
 
-func (a *Account) IsQueriesNumberExceeded() bool {
-	return a.Queries > QUERIES_NUMBER_LIMIT
-}
-
 // WebAuthnID implements webauthn.User
 func (a *Account) WebAuthnID() []byte {
 	return []byte(a.ID.Hex())

diff --git a/api/service/account/account.go b/api/service/account/account.go
@@ -317,11 +317,6 @@ func (p *AccountService) GetAccount(ctx context.Context, accountId string) (*mod
 		return nil, err
 	}
 
-	stats, err := p.GetAccountMetrics(ctx, account, model.LAST_MONTH)
-	if err != nil {
-		return nil, err
-	}
-	account.Queries = stats.Total
 	if err := p.populateAuthMethods(ctx, account); err != nil {
 		return nil, err
 	}
@@ -348,21 +343,6 @@ func (a *AccountService) populateAuthMethods(ctx context.Context, acc *model.Acc
 	return nil
 }
 
-// GetAccountStatistics returns profile DNS statistics data
-func (a *AccountService) GetAccountMetrics(ctx context.Context, account *model.Account, timespan string) (*model.StatisticsAggregated, error) {
-	accMetricsAggregated := &model.StatisticsAggregated{}
-	for _, profileId := range account.Profiles {
-		profileStats, err := a.ProfileService.GetStatistics(ctx, account.ID.Hex(), profileId, timespan)
-		if err != nil {
-			return nil, err
-		}
-
-		accMetricsAggregated.Total += profileStats[0].Total
-	}
-
-	return accMetricsAggregated, nil
-}
-
 // UpdateAccount updates account data
 func (a *AccountService) UpdateAccount(ctx context.Context, accountId string, updates []model.AccountUpdate, mfa *model.MfaData) error {
 	var profileUpdates []model.AccountUpdate