Update docker/resume/nginx.conf
	
		
			
	
		
	
	
		
			
				
	
				ci/woodpecker/push/woodpecker Pipeline failed
				
					Details
				
			
		
	
				
					
				
			
				
	
				ci/woodpecker/push/woodpecker Pipeline failed
				
					Details
				
			
		
	This commit is contained in:
		
							parent
							
								
									e5d0e4774f
								
							
						
					
					
						commit
						b809a7e320
					
				|  | @ -8,13 +8,14 @@ server { | ||||||
| 
 | 
 | ||||||
|     server_name colinknapp.com www.colinknapp.com; |     server_name colinknapp.com www.colinknapp.com; | ||||||
| 
 | 
 | ||||||
|     # Security headers |     # Security Headers | ||||||
|  |     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; | ||||||
|     add_header X-Frame-Options "DENY" always; |     add_header X-Frame-Options "DENY" always; | ||||||
|     add_header X-Content-Type-Options "nosniff" always; |     add_header X-Content-Type-Options "nosniff" always; | ||||||
|     add_header Referrer-Policy "no-referrer" always; |     add_header Referrer-Policy "no-referrer" always; | ||||||
|     add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; |     add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; | ||||||
| 
 | 
 | ||||||
|     # Content Security Policy (CSP) tailored for colinknapp.com without nonce |     # Content Security Policy (CSP) | ||||||
|     add_header Content-Security-Policy " |     add_header Content-Security-Policy " | ||||||
|         default-src 'self'; |         default-src 'self'; | ||||||
|         script-src 'self' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; |         script-src 'self' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; | ||||||
|  | @ -24,23 +25,32 @@ server { | ||||||
|         font-src 'self' fonts.gstatic.com; |         font-src 'self' fonts.gstatic.com; | ||||||
|         base-uri 'self'; |         base-uri 'self'; | ||||||
|         form-action 'self'; |         form-action 'self'; | ||||||
|     "; |     " always; | ||||||
| 
 | 
 | ||||||
|     # Enable long-term caching for JavaScript, CSS, and HTML files |     # Rate Limiting | ||||||
|  |     limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; | ||||||
|  |     limit_req_status 429; | ||||||
|  | 
 | ||||||
|  |     # Cache headers for JavaScript, CSS, and HTML | ||||||
|     location ~* \.(js|css|html)$ { |     location ~* \.(js|css|html)$ { | ||||||
|         expires 1y; |         expires 1y; | ||||||
|         add_header Cache-Control "public, max-age=31536000, immutable"; |         add_header Cache-Control "public, max-age=31536000, immutable"; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|     # Rate limiting to prevent abuse |     # Global Rate Limit and Caching for all requests | ||||||
|     limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; |  | ||||||
|     limit_req_status 429; |  | ||||||
| 
 |  | ||||||
|     location / { |     location / { | ||||||
|         limit_req zone=default burst=30; |         limit_req zone=default burst=30; | ||||||
|         try_files $uri $uri/ =404; |         try_files $uri $uri/ =404; | ||||||
|     } |     } | ||||||
| 
 | 
 | ||||||
|  |     # Admin Route with IP Whitelisting and Rate Limit | ||||||
|  |     location /admin/ { | ||||||
|  |         allow 192.168.1.0/24; # Trusted IP range | ||||||
|  |         deny all; | ||||||
|  |         limit_req zone=default burst=10; | ||||||
|  |         try_files $uri $uri/ =404; | ||||||
|  |     } | ||||||
|  | 
 | ||||||
|     # HTTP/3 advertisement header |     # HTTP/3 advertisement header | ||||||
|     add_header Alt-Svc 'h3-29=":8080"; ma=86400'; |     add_header Alt-Svc 'h3-29=":8080"; ma=86400'; | ||||||
| } | } | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue