entrouvert
/
publik-common
17
0
Fork 0
Code Issues Pull Requests Releases Activity

nginx: common configuration (#18147)

This commit is contained in:
Christophe Siraut 2020-04-16 10:38:36 +02:00 committed by Thomas NOEL
parent b567388535
commit 1f264de873
21 changed files with 545 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
Makefile
View File

@ -8,7 +8,8 @@ DIST_FILES = Makefile \
publik-cluster-link \
publik-emailconf \
publik.conf.example \
doc
doc \
nginx
version:
@(echo $(VERSION))

2
debian/install vendored
View File

@ -3,3 +3,5 @@ publik-create-databases /usr/bin
publik-cluster-link /usr/bin
publik-emailconf /usr/bin
publik.conf.example /etc/publik
nginx/conf.d/* etc/nginx/conf.d
nginx/snippets/*.conf etc/nginx/snippets

1
doc/nginx/conf.d/client-max-body-size.conf
View File

@ -1 +0,0 @@
client_max_body_size 50M;

5
nginx/conf.d/client-max-body-size.conf Normal file
View File

@ -0,0 +1,5 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
client_max_body_size 200M;

4
doc/nginx/conf.d/log_formats.conf → nginx/conf.d/log_formats.conf
View File

@ -1,3 +1,7 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
log_format combined_full '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$host" [$request_time s]';

7
nginx/snippets/README Normal file
View File

@ -0,0 +1,7 @@
To update publik-<application>.conf files:
* edit publik-application.conf.j2 template
* run build-publik-snippets.py script
Note: publik-wcs.conf is a specific file, it must be modified separately.
Likewise, publik-gzip.conf and publik-openssl.conf are obviously not
application.conf files.

16
nginx/snippets/build-publik-snippets.py Executable file
View File

@ -0,0 +1,16 @@
#!/usr/bin/env python3
from packaging import version
from jinja2 import Environment, FileSystemLoader, __version__, StrictUndefined
assert version.parse(__version__) < version.parse('2.11')
TEMPLATE = 'publik-application.conf.j2'
MODULES = ('authentic2-multitenant', 'bijoe', 'chrono', 'combo', 'corbo',
'fargo', 'hobo', 'mandayejs', 'passerelle', 'welco')
for module in MODULES:
loader = FileSystemLoader('.')
env = Environment(loader=loader, undefined=StrictUndefined)
template = env.get_template(TEMPLATE)
with open('publik-%s.conf' % module, 'w') as output:
output.write(template.render(MODULE=module))

56
nginx/snippets/publik-application.conf.j2 Normal file
View File

@ -0,0 +1,56 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/{{ MODULE }}/tenants/$host/static/$1
/var/lib/{{ MODULE }}/tenants/$host/theme/static/$1
/var/lib/{{ MODULE }}/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
{% if MODULE not in ("passerelle", "fargo") -%}
location ~ ^/media/(.+)$ {
alias /var/lib/{{ MODULE }}/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
{%- else -%}
location ~ ^/media/public/(.+)$ {
alias /var/lib/{{ MODULE }}/tenants/$host/media/public/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
{%- endif %}
{% if MODULE == "combo" -%}
location ~ ^/.well-known/pki-validation/(.+)$ {
alias /var/lib/{{ MODULE }}/tenants/$host/well-known/pki-validation/$1;
}
{% endif -%}
location /robots.txt {
alias /var/lib/{{ MODULE }}/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/{{ MODULE }}/{{ MODULE }}.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-authentic2-multitenant.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/authentic2-multitenant/tenants/$host/static/$1
/var/lib/authentic2-multitenant/tenants/$host/theme/static/$1
/var/lib/authentic2-multitenant/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/authentic2-multitenant/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/authentic2-multitenant/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/authentic2-multitenant/authentic2-multitenant.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-bijoe.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/bijoe/tenants/$host/static/$1
/var/lib/bijoe/tenants/$host/theme/static/$1
/var/lib/bijoe/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/bijoe/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/bijoe/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/bijoe/bijoe.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-chrono.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/chrono/tenants/$host/static/$1
/var/lib/chrono/tenants/$host/theme/static/$1
/var/lib/chrono/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/chrono/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/chrono/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/chrono/chrono.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

43
nginx/snippets/publik-combo.conf Normal file
View File

@ -0,0 +1,43 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/combo/tenants/$host/static/$1
/var/lib/combo/tenants/$host/theme/static/$1
/var/lib/combo/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/combo/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location ~ ^/.well-known/pki-validation/(.+)$ {
alias /var/lib/combo/tenants/$host/well-known/pki-validation/$1;
}
location /robots.txt {
alias /var/lib/combo/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/combo/combo.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-corbo.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/corbo/tenants/$host/static/$1
/var/lib/corbo/tenants/$host/theme/static/$1
/var/lib/corbo/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/corbo/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/corbo/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/corbo/corbo.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-fargo.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/fargo/tenants/$host/static/$1
/var/lib/fargo/tenants/$host/theme/static/$1
/var/lib/fargo/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/public/(.+)$ {
alias /var/lib/fargo/tenants/$host/media/public/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/fargo/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/fargo/fargo.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

5
doc/nginx/snippets/gzip-statics.conf → nginx/snippets/publik-gzip.conf
View File

@ -1,3 +1,7 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
# to be used in location /static :
#
# location ~ ^/static/(.+)$ {
@ -16,4 +20,3 @@ gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/css application/javascript;

40
nginx/snippets/publik-hobo.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/hobo/tenants/$host/static/$1
/var/lib/hobo/tenants/$host/theme/static/$1
/var/lib/hobo/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/hobo/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/hobo/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/hobo/hobo.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-mandayejs.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/mandayejs/tenants/$host/static/$1
/var/lib/mandayejs/tenants/$host/theme/static/$1
/var/lib/mandayejs/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/mandayejs/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/mandayejs/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/mandayejs/mandayejs.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

11
doc/nginx/snippets/publik-ssl.conf → nginx/snippets/publik-openssl.conf
View File

@ -1,8 +1,9 @@
# from https://ssl-config.mozilla.org/
# nginx 1.10.3, intermediate config, OpenSSL 1.1.0l
#
# This file is provided by publik-common package: DO NOT EDIT.
#
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
# generated 2020-04-13, Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
@ -13,7 +14,7 @@ ssl_session_tickets off;
ssl_dhparam /etc/ssl/dhparam2048.pem;
# intermediate configuration
ssl_protocols TLSv1.2;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

40
nginx/snippets/publik-passerelle.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/passerelle/tenants/$host/static/$1
/var/lib/passerelle/tenants/$host/theme/static/$1
/var/lib/passerelle/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/public/(.+)$ {
alias /var/lib/passerelle/tenants/$host/media/public/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/passerelle/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/passerelle/passerelle.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-wcs.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/wcs/$host/static/$1
/var/lib/wcs/$host/theme/static/$1
/var/lib/wcs/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/wcs/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/wcs/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/wcs/wcs.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}

40
nginx/snippets/publik-welco.conf Normal file
View File

@ -0,0 +1,40 @@
#
# This file is provided by publik-common package: DO NOT EDIT.
#
location ~ ^/static/(.+)$ {
root /;
try_files /var/lib/welco/tenants/$host/static/$1
/var/lib/welco/tenants/$host/theme/static/$1
/var/lib/welco/collectstatic/$1
=404;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
add_header 'Access-Control-Allow-Origin' '*';
include snippets/publik-gzip.conf;
}
location ~ ^/media/(.+)$ {
alias /var/lib/welco/tenants/$host/media/$1;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
include snippets/publik-gzip.conf;
}
location /robots.txt {
alias /var/lib/welco/www/robots.txt;
}
location / {
proxy_pass http://unix:/var/run/welco/welco.sock;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-SSL on;
proxy_set_header X-Forwarded-Protocol ssl;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'X-Content-Type-Options' 'nosniff';
add_header 'X-XSS-Protection' '1; mode=block';
}