saiblog/.docker/default.conf

# Nginx config
# Inspired by https://git.shivering-isles.com/shivering-isles/blog/blob/deploy/_docker/default.conf

# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
    ~font/                     max;
}

proxy_cache_path  /tmp/nginx-cache  levels=1:2 keys_zone=STATIC:10m inactive=24h  max_size=1g;

server {

    root /usr/share/nginx/html;
    listen       80;
    server_name  saibotk.de;

    access_log off;

    expires $expires;
    charset UTF-8;

    set_real_ip_from  172.16.0.0/12;

    add_header X-Frame-Options "DENY";
    add_header Referrer-Policy "no-referrer";
    add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'";
    add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';";
    add_header Allow "GET, HEAD" always;

    if ( $request_method !~ ^(GET|HEAD)$ ) {
      return 405;
    }

    location /rss {
        rewrite ^/rss /rss.xml redirect;
    }

    rewrite ^/(.*)/$ /$1 redirect;

    location ~ /\.well-known {
      allow all;
    }

    # make sure we provide the right content type
    location ^~ /.well-known/openpgpkey/hu {
       default_type application/octet-stream;
       add_header Access-Control-Allow-Origin * always;
    }

    # general wkd should be available everywhere
    location ^~ /.well-known/openpgpkey {
       add_header Access-Control-Allow-Origin * always;
    }

    location / {
      root   /usr/share/nginx/html;
      index  index.html index.htm;
      try_files  $uri $uri/index.html $uri.html =404;
    }

    error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}
migrate blog to astro 2022-10-23 12:08:29 +02:00			`# Nginx config`
Add Docker files, .spelling & .gitlab-ci.yml 2020-01-08 10:49:54 +01:00			`# Inspired by https://git.shivering-isles.com/shivering-isles/blog/blob/deploy/_docker/default.conf`

			`# Expires map`
			`map $sent_http_content_type $expires {`
			`default off;`
			`text/html epoch;`
			`text/css max;`
			`application/javascript max;`
			`~image/ max;`
			`~font/ max;`
			`}`

			`proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;`

			`server {`

			`root /usr/share/nginx/html;`
			`listen 80;`
			`server_name saibotk.de;`

Disable logs and remove unused www redirection \| Add HSTS header 2020-01-08 20:06:28 +01:00			`access_log off;`

Add Docker files, .spelling & .gitlab-ci.yml 2020-01-08 10:49:54 +01:00			`expires $expires;`
			`charset UTF-8;`

			`set_real_ip_from 172.16.0.0/12;`
Disable logs and remove unused www redirection \| Add HSTS header 2020-01-08 20:06:28 +01:00
Add Docker files, .spelling & .gitlab-ci.yml 2020-01-08 10:49:54 +01:00			`add_header X-Frame-Options "DENY";`
			`add_header Referrer-Policy "no-referrer";`
Remove HSTS headers & ssl_session_cache & use nginx:alpine The HSTS headers are already set by Traefik and the ssl session cache does not make sense for a HTTP only container, with a proxy that handles TLS. Also the docker image will now use the latest alpine image instead of the old fixed version. 2020-06-29 00:17:45 +02:00			`add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'";`
Add Docker files, .spelling & .gitlab-ci.yml 2020-01-08 10:49:54 +01:00			`add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';";`
			`add_header Allow "GET, HEAD" always;`

			`if ( $request_method !~ ^(GET\|HEAD)$ ) {`
			`return 405;`
			`}`

			`location /rss {`
Fix rss path 2022-10-23 12:59:07 +02:00			`rewrite ^/rss /rss.xml redirect;`
Add Docker files, .spelling & .gitlab-ci.yml 2020-01-08 10:49:54 +01:00			`}`

			`rewrite ^/(.*)/$ /$1 redirect;`

			`location ~ /\.well-known {`
			`allow all;`
			`}`

			`# make sure we provide the right content type`
			`location ^~ /.well-known/openpgpkey/hu {`
			`default_type application/octet-stream;`
			`add_header Access-Control-Allow-Origin * always;`
			`}`

			`# general wkd should be available everywhere`
			`location ^~ /.well-known/openpgpkey {`
			`add_header Access-Control-Allow-Origin * always;`
			`}`

			`location / {`
			`root /usr/share/nginx/html;`
			`index index.html index.htm;`
			`try_files $uri $uri/index.html $uri.html =404;`
			`}`

			`error_page 404 /404.html;`

			`# redirect server error pages to the static page /50x.html`
			`#`
			`error_page 500 502 503 504 /50x.html;`
			`location = /50x.html {`
			`root /usr/share/nginx/html;`
			`}`
			`}`