# Nginx config # Inspired by https://git.shivering-isles.com/shivering-isles/blog/blob/deploy/_docker/default.conf # Expires map map $sent_http_content_type $expires { default off; text/html epoch; text/css max; application/javascript max; ~image/ max; ~font/ max; } proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=64m; server { root /usr/share/nginx/html; listen 8080; server_name saibotk.de; access_log off; expires $expires; charset UTF-8; set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; add_header X-Frame-Options "DENY"; add_header Referrer-Policy "no-referrer"; add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'"; add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';"; add_header Allow "GET, HEAD" always; if ( $request_method !~ ^(GET|HEAD)$ ) { return 405; } location = /rss { rewrite ^/rss /rss.xml redirect; } rewrite ^/(.*)/$ /$1 redirect; location ~ /\.well-known { allow all; } # make sure we provide the right content type location ^~ /.well-known/openpgpkey/hu { default_type application/octet-stream; add_header Access-Control-Allow-Origin * always; } # general wkd should be available everywhere location ^~ /.well-known/openpgpkey { add_header Access-Control-Allow-Origin * always; } location / { root /usr/share/nginx/html; index index.html index.htm; try_files $uri $uri/index.html $uri.html =404; } error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } }