diff --git a/_docker/Dockerfile b/_docker/Dockerfile index 56e55d4..37a119d 100644 --- a/_docker/Dockerfile +++ b/_docker/Dockerfile @@ -2,6 +2,6 @@ FROM nginx:1.17-alpine COPY ./public/ /usr/share/nginx/html/ -COPY ./_docker/default.conf ./_docker/redirect.conf /etc/nginx/conf.d/ +COPY ./_docker/default.conf /etc/nginx/conf.d/ HEALTHCHECK CMD wget -O- http://127.0.0.1/status.txt | grep -q 'OK' \ No newline at end of file diff --git a/_docker/default.conf b/_docker/default.conf index 6807111..5fcdccf 100644 --- a/_docker/default.conf +++ b/_docker/default.conf @@ -13,16 +13,27 @@ map $sent_http_content_type $expires { proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; +# Set HSTS if forwarded proto is https +map $http_x_forwarded_proto $hsts_header { + default ""; + https "max-age=31536000; includeSubDomains;"; +} + server { root /usr/share/nginx/html; listen 80; server_name saibotk.de; + access_log off; + error_log off; + expires $expires; charset UTF-8; set_real_ip_from 172.16.0.0/12; + + add_header Strict-Transport-Security $hsts_header; add_header X-Frame-Options "DENY"; add_header Referrer-Policy "no-referrer"; add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'"; @@ -34,7 +45,7 @@ server { } location /rss { - rewrite ^/rss /feed.xml redirect; + rewrite ^/rss /posts/index.xml redirect; } rewrite ^/(.*)/$ /$1 redirect; diff --git a/_docker/redirect.conf b/_docker/redirect.conf deleted file mode 100644 index f6080b1..0000000 --- a/_docker/redirect.conf +++ /dev/null @@ -1,7 +0,0 @@ -server { - listen 80; - server_name www.saibotk.de; - - return 301 https://saibotk.de$request_uri; -} -