Update docker/resume/nginx.conf
	
		
			
	
		
	
	
		
			
				
	
				ci/woodpecker/push/woodpecker Pipeline failed
				
					Details
				
			
		
	
				
					
				
			
				
	
				ci/woodpecker/push/woodpecker Pipeline failed
				
					Details
				
			
		
	This commit is contained in:
		
							parent
							
								
									e5d0e4774f
								
							
						
					
					
						commit
						b809a7e320
					
				|  | @ -8,13 +8,14 @@ server { | |||
| 
 | ||||
|     server_name colinknapp.com www.colinknapp.com; | ||||
| 
 | ||||
|     # Security headers | ||||
|     # Security Headers | ||||
|     add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; | ||||
|     add_header X-Frame-Options "DENY" always; | ||||
|     add_header X-Content-Type-Options "nosniff" always; | ||||
|     add_header Referrer-Policy "no-referrer" always; | ||||
|     add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; | ||||
| 
 | ||||
|     # Content Security Policy (CSP) tailored for colinknapp.com without nonce | ||||
|     # Content Security Policy (CSP) | ||||
|     add_header Content-Security-Policy " | ||||
|         default-src 'self'; | ||||
|         script-src 'self' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; | ||||
|  | @ -24,23 +25,32 @@ server { | |||
|         font-src 'self' fonts.gstatic.com; | ||||
|         base-uri 'self'; | ||||
|         form-action 'self'; | ||||
|     "; | ||||
|     " always; | ||||
| 
 | ||||
|     # Enable long-term caching for JavaScript, CSS, and HTML files | ||||
|     # Rate Limiting | ||||
|     limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; | ||||
|     limit_req_status 429; | ||||
| 
 | ||||
|     # Cache headers for JavaScript, CSS, and HTML | ||||
|     location ~* \.(js|css|html)$ { | ||||
|         expires 1y; | ||||
|         add_header Cache-Control "public, max-age=31536000, immutable"; | ||||
|     } | ||||
| 
 | ||||
|     # Rate limiting to prevent abuse | ||||
|     limit_req_zone $binary_remote_addr zone=default:10m rate=20r/s; | ||||
|     limit_req_status 429; | ||||
| 
 | ||||
|     # Global Rate Limit and Caching for all requests | ||||
|     location / { | ||||
|         limit_req zone=default burst=30; | ||||
|         try_files $uri $uri/ =404; | ||||
|     } | ||||
| 
 | ||||
|     # Admin Route with IP Whitelisting and Rate Limit | ||||
|     location /admin/ { | ||||
|         allow 192.168.1.0/24; # Trusted IP range | ||||
|         deny all; | ||||
|         limit_req zone=default burst=10; | ||||
|         try_files $uri $uri/ =404; | ||||
|     } | ||||
| 
 | ||||
|     # HTTP/3 advertisement header | ||||
|     add_header Alt-Svc 'h3-29=":8080"; ma=86400'; | ||||
| } | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue