saibotk
cdeeab365f
The HSTS headers are already set by Traefik and the ssl session cache does not make sense for a HTTP only container, with a proxy that handles TLS. Also the docker image will now use the latest alpine image instead of the old fixed version.
75 lines
2.3 KiB
Text
75 lines
2.3 KiB
Text
# Nginx config
|
|
# Inspired by https://git.shivering-isles.com/shivering-isles/blog/blob/deploy/_docker/default.conf
|
|
|
|
# Expires map
|
|
map $sent_http_content_type $expires {
|
|
default off;
|
|
text/html epoch;
|
|
text/css max;
|
|
application/javascript max;
|
|
~image/ max;
|
|
~font/ max;
|
|
}
|
|
|
|
proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g;
|
|
|
|
server {
|
|
|
|
root /usr/share/nginx/html;
|
|
listen 80;
|
|
server_name saibotk.de;
|
|
|
|
access_log off;
|
|
error_log off;
|
|
|
|
expires $expires;
|
|
charset UTF-8;
|
|
|
|
set_real_ip_from 172.16.0.0/12;
|
|
|
|
add_header X-Frame-Options "DENY";
|
|
add_header Referrer-Policy "no-referrer";
|
|
add_header Content-Security-Policy "default-src 'none'; script-src 'self'; img-src data: 'self'; style-src 'self' 'unsafe-inline'; font-src data: 'self'; object-src data:; base-uri 'none'; form-action 'none'; worker-src 'self'; connect-src 'self'; manifest-src 'self'";
|
|
add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none'; usb 'none';";
|
|
add_header Allow "GET, HEAD" always;
|
|
|
|
if ( $request_method !~ ^(GET|HEAD)$ ) {
|
|
return 405;
|
|
}
|
|
|
|
location /rss {
|
|
rewrite ^/rss /posts/index.xml redirect;
|
|
}
|
|
|
|
rewrite ^/(.*)/$ /$1 redirect;
|
|
|
|
location ~ /\.well-known {
|
|
allow all;
|
|
}
|
|
|
|
# make sure we provide the right content type
|
|
location ^~ /.well-known/openpgpkey/hu {
|
|
default_type application/octet-stream;
|
|
add_header Access-Control-Allow-Origin * always;
|
|
}
|
|
|
|
# general wkd should be available everywhere
|
|
location ^~ /.well-known/openpgpkey {
|
|
add_header Access-Control-Allow-Origin * always;
|
|
}
|
|
|
|
location / {
|
|
root /usr/share/nginx/html;
|
|
index index.html index.htm;
|
|
try_files $uri $uri/index.html $uri.html =404;
|
|
}
|
|
|
|
error_page 404 /404.html;
|
|
|
|
# redirect server error pages to the static page /50x.html
|
|
#
|
|
error_page 500 502 503 504 /50x.html;
|
|
location = /50x.html {
|
|
root /usr/share/nginx/html;
|
|
}
|
|
}
|