diff --git a/docker/resume/nginx.conf b/docker/resume/nginx.conf index f64dd12..a36b9bb 100644 --- a/docker/resume/nginx.conf +++ b/docker/resume/nginx.conf @@ -1,14 +1,12 @@ server { - listen 8080 http2; # HTTP/2 for efficient multiplexing - listen 8080 quic reuseport; # HTTP/3 support + listen 8080 http2; + listen 8080 quic reuseport; http3_max_concurrent_streams 128; - # Root directory for content root /usr/share/nginx/html; index index.html; - # Server name (adjust as needed) - server_name yourdomain.com www.yourdomain.com; + server_name colinknapp.com www.colinknapp.com; # Security headers add_header X-Frame-Options "DENY" always; @@ -16,10 +14,19 @@ server { add_header Referrer-Policy "no-referrer" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always; - # Content Security Policy (CSP) for js, css, and html only - add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://trusted.cdn.com https://metrics.nixc.us; style-src 'self' 'unsafe-inline' https://trusted.cdn.com; connect-src 'self' https://metrics.nixc.us; frame-src 'self';"; + # Content Security Policy (CSP) tailored for colinknapp.com without nonce + add_header Content-Security-Policy " + default-src 'self'; + script-src 'self' https://matomo.nixc.us/js/tracker.js https://colinknapp.com/scripts/some-script.js; + style-src 'self' 'unsafe-inline' https://colinknapp.com/styles/main.css; + img-src 'self' https://colinknapp.com/icons data:; + connect-src 'self' https://matomo.nixc.us; + font-src 'self' fonts.gstatic.com; + base-uri 'self'; + form-action 'self'; + "; - # Caching headers for JavaScript and CSS files + # Enable long-term caching for JavaScript, CSS, and HTML files location ~* \.(js|css|html)$ { expires 1y; add_header Cache-Control "public, max-age=31536000, immutable"; @@ -35,5 +42,5 @@ server { } # HTTP/3 advertisement header - add_header Alt-Svc 'h3-29=":8080"; ma=86400'; # Advertise HTTP/3 to clients + add_header Alt-Svc 'h3-29=":8080"; ma=86400'; }