-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathdefault.conf
77 lines (62 loc) · 2.58 KB
/
default.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
server {
listen 80;
server_name dev.42library.kr;
access_log /dev/stdout main;
# access_log /var/log/nginx/access.log main;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri; # Redirect all HTTP to HTTPS
}
}
server {
listen 443 ssl;
server_name dev.42library.kr;
access_log /var/log/nginx/https.access.log main;
# SSL configuration
ssl_certificate /etc/letsencrypt/live/dev.42library.kr/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.42library.kr/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
# Add HTTP Strict Transport Security (HSTS) to enforce HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # Enforces HTTPS on all requests
# Security headers
add_header X-Content-Type-Options "nosniff" always; # Prevents MIME type sniffing
add_header X-Frame-Options "SAMEORIGIN" always; # Prevents clickjacking
add_header X-XSS-Protection "1; mode=block" always; # Helps protect against XSS attacks
# Limits sources of content to only trusted domains
add_header Content-Security-Policy "default-src 'self'; frame-src 'self' https://api.intra.42.fr;" always;
location /api/ {
# Add rate limiting
limit_req zone=api burst=5;
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /swagger/ {
auth_basic "Admin page";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /swagger-v2/ {
auth_basic "Admin page";
auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}