Update docker/resume/nginx.conf

2024-11-11 21:58:07 -05:00 · 2024-11-11 21:58:07 -05:00 · a300d70565
parent d9c52597b0
commit a300d70565
1 changed files with 28 additions and 21 deletions
--- a/docker/resume/nginx.conf
+++ b/docker/resume/nginx.conf
@ -1,32 +1,39 @@
 server {
-    listen 8080;
+    listen 8080 http2; # HTTP/2 for efficient multiplexing
+    listen 8080 quic reuseport; # HTTP/3 support
+    http3_max_concurrent_streams 128;
+
+    # Root directory for content
    root /usr/share/nginx/html;
-    index resume.html;
+    index index.html;

-    # Add HSTS header with preload directive
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    # Server name (adjust as needed)
+    server_name yourdomain.com www.yourdomain.com;

-    # Other security headers
-    add_header X-Frame-Options "SAMEORIGIN" always;
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), accelerometer=(), gyroscope=(), magnetometer=(), payment=(), usb=()" always;
+    add_header Referrer-Policy "no-referrer" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;

-    # Set up CSP with specific script URLs and nonce
-    set $nonce $request_id;
-    add_header Content-Security-Policy "
-        default-src 'none'; 
-        script-src 'self' 'nonce-$nonce' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; 
-        style-src 'self' 'nonce-$nonce' https://colinknapp.com/styles/main.css; 
-        img-src 'self' https://matomo.nixc.us/images/ https://colinknapp.com/icons/; 
-        connect-src 'self' https://matomo.nixc.us; 
-        frame-ancestors 'self'; 
-        base-uri 'self'; 
-        form-action 'self';
-    ";
+    # Content Security Policy (CSP) for js, css, and html only
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com https://metrics.nixc.us; style-src 'self' 'unsafe-inline' https://trusted.cdn.com; connect-src 'self' https://metrics.nixc.us; frame-src 'self';";
+
+    # Caching headers for JavaScript and CSS files
+    location ~* \.(js|css|html)$ {
+        expires 1y;
+        add_header Cache-Control "public, max-age=31536000, immutable";
+    }
+
+    # Rate limiting to prevent abuse
+    limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s;
+    limit_req_status 429;

-    # Basic location block
    location / {
+        limit_req zone=default burst=30;
        try_files $uri $uri/ =404;
    }
+
+    # HTTP/3 advertisement header
+    add_header Alt-Svc 'h3-29=":8080"; ma=86400';  # Advertise HTTP/3 to clients
 }