85 lines
2.5 KiB
Text
85 lines
2.5 KiB
Text
# Nginx config
|
|
# Inspired by https://git.shivering-isles.com/shivering-isles/blog/blob/deploy/_docker/default.conf
|
|
|
|
# Expires map
|
|
map $sent_http_content_type $expires {
|
|
default off;
|
|
text/html epoch;
|
|
text/css max;
|
|
application/javascript max;
|
|
~image/ max;
|
|
~font/ max;
|
|
}
|
|
|
|
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
|
|
|
|
# Set HSTS if forwarded proto is https
|
|
map $http_x_forwarded_proto $hsts_header {
|
|
default "";
|
|
https "max-age=31536000; includeSubDomains;";
|
|
}
|
|
|
|
server {
|
|
|
|
root /usr/share/nginx/html;
|
|
listen 80;
|
|
server_name saibotk.de;
|
|
|
|
access_log off;
|
|
error_log off;
|
|
|
|
expires $expires;
|
|
charset UTF-8;
|
|
|
|
set_real_ip_from 172.16.0.0/12;
|
|
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
|
|
add_header Strict-Transport-Security $hsts_header;
|
|
add_header X-Frame-Options "DENY";
|
|
add_header Referrer-Policy "no-referrer";
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'";
|
|
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';";
|
|
add_header Allow "GET, HEAD" always;
|
|
|
|
if ( $request_method !~ ^(GET|HEAD)$ ) {
|
|
return 405;
|
|
}
|
|
|
|
location /rss {
|
|
rewrite ^/rss /posts/index.xml redirect;
|
|
}
|
|
|
|
rewrite ^/(.*)/$ /$1 redirect;
|
|
|
|
location ~ /\.well-known {
|
|
allow all;
|
|
}
|
|
|
|
# make sure we provide the right content type
|
|
location ^~ /.well-known/openpgpkey/hu {
|
|
default_type application/octet-stream;
|
|
add_header Access-Control-Allow-Origin * always;
|
|
}
|
|
|
|
# general wkd should be available everywhere
|
|
location ^~ /.well-known/openpgpkey {
|
|
add_header Access-Control-Allow-Origin * always;
|
|
}
|
|
|
|
location / {
|
|
root /usr/share/nginx/html;
|
|
index index.html index.htm;
|
|
try_files $uri $uri/index.html $uri.html =404;
|
|
}
|
|
|
|
error_page 404 /404.html;
|
|
|
|
# redirect server error pages to the static page /50x.html
|
|
#
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
}
|