wip: improve nginx config — gzip, SSL hardening, dynamic CORS, dotfile blocking
This commit is contained in:
Alexander Whitestone
@@ -1,37 +1,112 @@
|
||||
# The Door — nginx config for alexanderwhitestone.com
|
||||
# Place at /etc/nginx/sites-available/the-door
|
||||
#
|
||||
# IMPORTANT: Also include deploy/rate-limit.conf in your main
|
||||
# /etc/nginx/nginx.conf http block:
|
||||
# include /etc/nginx/sites-available/the-door/deploy/rate-limit.conf;
|
||||
# Crisis front door: single URL, no login, always open.
|
||||
# Static files + reverse proxy to Hermes Gateway on :8644
|
||||
#
|
||||
# Deploy:
|
||||
# cp nginx.conf /etc/nginx/sites-available/the-door
|
||||
# ln -sf /etc/nginx/sites-available/the-door /etc/nginx/sites-enabled/
|
||||
# rm -f /etc/nginx/sites-enabled/default
|
||||
# nginx -t && systemctl reload nginx
|
||||
|
||||
# HTTP → HTTPS redirect
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name alexanderwhitestone.com www.alexanderwhitestone.com;
|
||||
return 301 https://$server_name$request_uri;
|
||||
|
||||
# Allow certbot ACME challenge even without SSL
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/html;
|
||||
allow all;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Main HTTPS server
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
server_name alexanderwhitestone.com www.alexanderwhitestone.com;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
|
||||
# ================================================================
|
||||
# SSL Configuration
|
||||
# ================================================================
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/alexanderwhitestone.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/alexanderwhitestone.com/privkey.pem;
|
||||
|
||||
# Modern SSL settings
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# OCSP Stapling
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
resolver 1.1.1.1 8.8.8.8 valid=300s;
|
||||
resolver_timeout 5s;
|
||||
|
||||
# ================================================================
|
||||
# Site Root
|
||||
# ================================================================
|
||||
|
||||
root /var/www/the-door;
|
||||
index index.html;
|
||||
|
||||
# Static files
|
||||
# ================================================================
|
||||
# Compression
|
||||
# ================================================================
|
||||
|
||||
gzip on;
|
||||
gzip_vary on;
|
||||
gzip_proxied any;
|
||||
gzip_comp_level 6;
|
||||
gzip_min_length 256;
|
||||
gzip_types
|
||||
text/plain
|
||||
text/css
|
||||
text/javascript
|
||||
application/javascript
|
||||
application/json
|
||||
application/manifest+json
|
||||
image/svg+xml;
|
||||
|
||||
# ================================================================
|
||||
# Static files — the crisis front door
|
||||
# ================================================================
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ /index.html;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Referrer-Policy "no-referrer";
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'";
|
||||
|
||||
# Security headers
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
add_header X-Frame-Options "DENY" always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "no-referrer" always;
|
||||
add_header Content-Security-Policy "default-src 'self'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; connect-src 'self'; img-src 'self' data:;" always;
|
||||
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
|
||||
|
||||
# Cache static assets
|
||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
||||
expires 7d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
add_header X-Content-Type-Options "nosniff" always;
|
||||
}
|
||||
}
|
||||
|
||||
# API proxy to Hermes
|
||||
# ================================================================
|
||||
# API proxy — /api/* → Hermes Gateway :8644
|
||||
# ================================================================
|
||||
|
||||
location /api/ {
|
||||
proxy_pass http://127.0.0.1:8644/;
|
||||
proxy_http_version 1.1;
|
||||
@@ -41,16 +116,21 @@ server {
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
|
||||
# CORS — allow alexanderwhitestone.com origins
|
||||
add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
|
||||
set $cors_origin "";
|
||||
if ($http_origin ~* "^https://(www\.)?alexanderwhitestone\.com$") {
|
||||
set $cors_origin $http_origin;
|
||||
}
|
||||
add_header Access-Control-Allow-Origin "$cors_origin" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
|
||||
add_header Access-Control-Allow-Credentials "true" always;
|
||||
|
||||
# Handle OPTIONS preflight
|
||||
if ($request_method = OPTIONS) {
|
||||
add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
|
||||
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
|
||||
add_header Access-Control-Max-Age 86400 always;
|
||||
add_header Access-Control-Allow-Origin "$cors_origin";
|
||||
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
|
||||
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
|
||||
add_header Access-Control-Max-Age 86400;
|
||||
return 204;
|
||||
}
|
||||
|
||||
@@ -62,13 +142,27 @@ server {
|
||||
proxy_read_timeout 300s;
|
||||
|
||||
# Rate limiting — 10 req/min per IP, burst of 5
|
||||
# Zone must be defined in nginx http block — see deploy/rate-limit.conf
|
||||
# Zone defined in nginx http block — see deploy/rate-limit.conf
|
||||
limit_req zone=the_door_api burst=5 nodelay;
|
||||
limit_req_status 429;
|
||||
}
|
||||
|
||||
# Health check
|
||||
location /health {
|
||||
# ================================================================
|
||||
# Health check — passthrough to Hermes
|
||||
# ================================================================
|
||||
|
||||
location = /health {
|
||||
proxy_pass http://127.0.0.1:8644/health;
|
||||
proxy_http_version 1.1;
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# ================================================================
|
||||
# Block dotfiles (except .well-known)
|
||||
# ================================================================
|
||||
|
||||
location ~ /\.(?!well-known) {
|
||||
deny all;
|
||||
return 404;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user