flaggr/nginx/nginx.conf at 54bbf111e575e6fdc3445d3a810873a1ea43d922 · JDIS/flaggr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    sendfile        off;

    keepalive_timeout  60;

    gzip  on;

    upstream docker-backend {
        server backend:8080;
    }

    server {
      listen 80;
      listen [::]:80;
      location / {
        return 301 https://$host$request_uri;
      }
    }

    server {

      listen 443 ssl http2;
      listen [::]:443 ssl http2;

      server_name ${DOMAIN};

      ssl_certificate      /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
      ssl_certificate_key  /etc/letsencrypt/live/${DOMAIN}/privkey.pem;

      # Improve HTTPS performance with session resumption
      #ssl_session_cache shared:SSL:10m;
      ssl_session_timeout 10m;

      # Enable server-side protection against BEAST attacks
      ssl_protocols TLSv1.2;
      ssl_prefer_server_ciphers on;
      ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";

      # Aditional Security Headers
      # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

      # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
      add_header X-Frame-Options DENY always;

      # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
      add_header X-Content-Type-Options nosniff always;

      # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
      add_header X-Xss-Protection "1; mode=block" always;

      # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
      # you can tell the browser that it can only download content from the domains you explicitly allow
      # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
      # https://www.owasp.org/index.php/Content_Security_Policy
      add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' ; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.materialdesignicons.com; font-src 'self' https://cdn.materialdesignicons.com https://fonts.gstatic.com/; object-src 'none'";

      location /admin {
          alias /var/www/html/admin;
          index index.html;
          try_files $uri $uri/ /admin/index.html;
      }

      location / {
        root /var/www/html;
        try_files $uri $uri/ /index.html;
      }

      location /api {
         proxy_pass         http://docker-backend;
         proxy_redirect     off;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
      }
   }


}