diff --git a/docker/resume/nginx.conf b/docker/resume/nginx.conf index a36b9bb..0c34369 100644 --- a/docker/resume/nginx.conf +++ b/docker/resume/nginx.conf @@ -8,13 +8,14 @@ server { server_name colinknapp.com www.colinknapp.com; - # Security headers + # Security Headers + add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; add_header X-Frame-Options "DENY" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "no-referrer" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; - # Content Security Policy (CSP) tailored for colinknapp.com without nonce + # Content Security Policy (CSP) add_header Content-Security-Policy " default-src 'self'; script-src 'self' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; @@ -24,23 +25,32 @@ server { font-src 'self' fonts.gstatic.com; base-uri 'self'; form-action 'self'; - "; + " always; - # Enable long-term caching for JavaScript, CSS, and HTML files + # Rate Limiting + limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; + limit_req_status 429; + + # Cache headers for JavaScript, CSS, and HTML location ~* \.(js|css|html)$ { expires 1y; add_header Cache-Control "public, max-age=31536000, immutable"; } - # Rate limiting to prevent abuse - limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; - limit_req_status 429; - + # Global Rate Limit and Caching for all requests location / { limit_req zone=default burst=30; try_files $uri $uri/ =404; } + # Admin Route with IP Whitelisting and Rate Limit + location /admin/ { + allow 192.168.1.0/24; # Trusted IP range + deny all; + limit_req zone=default burst=10; + try_files $uri $uri/ =404; + } + # HTTP/3 advertisement header add_header Alt-Svc 'h3-29=":8080"; ma=86400'; }