nginx: common configuration (#18147)
This commit is contained in:
parent
b567388535
commit
1f264de873
3
Makefile
3
Makefile
|
@ -8,7 +8,8 @@ DIST_FILES = Makefile \
|
|||
publik-cluster-link \
|
||||
publik-emailconf \
|
||||
publik.conf.example \
|
||||
doc
|
||||
doc \
|
||||
nginx
|
||||
|
||||
version:
|
||||
@(echo $(VERSION))
|
||||
|
|
|
@ -3,3 +3,5 @@ publik-create-databases /usr/bin
|
|||
publik-cluster-link /usr/bin
|
||||
publik-emailconf /usr/bin
|
||||
publik.conf.example /etc/publik
|
||||
nginx/conf.d/* etc/nginx/conf.d
|
||||
nginx/snippets/*.conf etc/nginx/snippets
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
client_max_body_size 50M;
|
|
@ -0,0 +1,5 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
client_max_body_size 200M;
|
|
@ -1,3 +1,7 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
log_format combined_full '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$host" [$request_time s]';
|
|
@ -0,0 +1,7 @@
|
|||
To update publik-<application>.conf files:
|
||||
* edit publik-application.conf.j2 template
|
||||
* run build-publik-snippets.py script
|
||||
|
||||
Note: publik-wcs.conf is a specific file, it must be modified separately.
|
||||
Likewise, publik-gzip.conf and publik-openssl.conf are obviously not
|
||||
application.conf files.
|
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env python3
|
||||
from packaging import version
|
||||
from jinja2 import Environment, FileSystemLoader, __version__, StrictUndefined
|
||||
|
||||
assert version.parse(__version__) < version.parse('2.11')
|
||||
|
||||
TEMPLATE = 'publik-application.conf.j2'
|
||||
MODULES = ('authentic2-multitenant', 'bijoe', 'chrono', 'combo', 'corbo',
|
||||
'fargo', 'hobo', 'mandayejs', 'passerelle', 'welco')
|
||||
|
||||
for module in MODULES:
|
||||
loader = FileSystemLoader('.')
|
||||
env = Environment(loader=loader, undefined=StrictUndefined)
|
||||
template = env.get_template(TEMPLATE)
|
||||
with open('publik-%s.conf' % module, 'w') as output:
|
||||
output.write(template.render(MODULE=module))
|
|
@ -0,0 +1,56 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/{{ MODULE }}/tenants/$host/static/$1
|
||||
/var/lib/{{ MODULE }}/tenants/$host/theme/static/$1
|
||||
/var/lib/{{ MODULE }}/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
{% if MODULE not in ("passerelle", "fargo") -%}
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/{{ MODULE }}/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
{%- else -%}
|
||||
location ~ ^/media/public/(.+)$ {
|
||||
alias /var/lib/{{ MODULE }}/tenants/$host/media/public/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
{%- endif %}
|
||||
|
||||
{% if MODULE == "combo" -%}
|
||||
location ~ ^/.well-known/pki-validation/(.+)$ {
|
||||
alias /var/lib/{{ MODULE }}/tenants/$host/well-known/pki-validation/$1;
|
||||
}
|
||||
{% endif -%}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/{{ MODULE }}/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/{{ MODULE }}/{{ MODULE }}.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/authentic2-multitenant/tenants/$host/static/$1
|
||||
/var/lib/authentic2-multitenant/tenants/$host/theme/static/$1
|
||||
/var/lib/authentic2-multitenant/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/authentic2-multitenant/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/authentic2-multitenant/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/authentic2-multitenant/authentic2-multitenant.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/bijoe/tenants/$host/static/$1
|
||||
/var/lib/bijoe/tenants/$host/theme/static/$1
|
||||
/var/lib/bijoe/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/bijoe/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/bijoe/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/bijoe/bijoe.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/chrono/tenants/$host/static/$1
|
||||
/var/lib/chrono/tenants/$host/theme/static/$1
|
||||
/var/lib/chrono/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/chrono/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/chrono/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/chrono/chrono.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,43 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/combo/tenants/$host/static/$1
|
||||
/var/lib/combo/tenants/$host/theme/static/$1
|
||||
/var/lib/combo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/combo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/.well-known/pki-validation/(.+)$ {
|
||||
alias /var/lib/combo/tenants/$host/well-known/pki-validation/$1;
|
||||
}
|
||||
location /robots.txt {
|
||||
alias /var/lib/combo/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/combo/combo.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/corbo/tenants/$host/static/$1
|
||||
/var/lib/corbo/tenants/$host/theme/static/$1
|
||||
/var/lib/corbo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/corbo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/corbo/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/corbo/corbo.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/fargo/tenants/$host/static/$1
|
||||
/var/lib/fargo/tenants/$host/theme/static/$1
|
||||
/var/lib/fargo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/public/(.+)$ {
|
||||
alias /var/lib/fargo/tenants/$host/media/public/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/fargo/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/fargo/fargo.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -1,3 +1,7 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
# to be used in location /static :
|
||||
#
|
||||
# location ~ ^/static/(.+)$ {
|
||||
|
@ -16,4 +20,3 @@ gzip_comp_level 6;
|
|||
gzip_buffers 16 8k;
|
||||
gzip_http_version 1.1;
|
||||
gzip_types text/css application/javascript;
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/hobo/tenants/$host/static/$1
|
||||
/var/lib/hobo/tenants/$host/theme/static/$1
|
||||
/var/lib/hobo/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/hobo/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/hobo/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/hobo/hobo.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/mandayejs/tenants/$host/static/$1
|
||||
/var/lib/mandayejs/tenants/$host/theme/static/$1
|
||||
/var/lib/mandayejs/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/mandayejs/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/mandayejs/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/mandayejs/mandayejs.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -1,8 +1,9 @@
|
|||
# from https://ssl-config.mozilla.org/
|
||||
# nginx 1.10.3, intermediate config, OpenSSL 1.1.0l
|
||||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
|
||||
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
|
||||
# generated 2020-04-13, Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
|
||||
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
|
||||
|
@ -13,7 +14,7 @@ ssl_session_tickets off;
|
|||
ssl_dhparam /etc/ssl/dhparam2048.pem;
|
||||
|
||||
# intermediate configuration
|
||||
ssl_protocols TLSv1.2;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/passerelle/tenants/$host/static/$1
|
||||
/var/lib/passerelle/tenants/$host/theme/static/$1
|
||||
/var/lib/passerelle/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/public/(.+)$ {
|
||||
alias /var/lib/passerelle/tenants/$host/media/public/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/passerelle/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/passerelle/passerelle.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/wcs/$host/static/$1
|
||||
/var/lib/wcs/$host/theme/static/$1
|
||||
/var/lib/wcs/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/wcs/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/wcs/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/wcs/wcs.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
|
@ -0,0 +1,40 @@
|
|||
#
|
||||
# This file is provided by publik-common package: DO NOT EDIT.
|
||||
#
|
||||
|
||||
location ~ ^/static/(.+)$ {
|
||||
root /;
|
||||
try_files /var/lib/welco/tenants/$host/static/$1
|
||||
/var/lib/welco/tenants/$host/theme/static/$1
|
||||
/var/lib/welco/collectstatic/$1
|
||||
=404;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
add_header 'Access-Control-Allow-Origin' '*';
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location ~ ^/media/(.+)$ {
|
||||
alias /var/lib/welco/tenants/$host/media/$1;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
add_header 'Content-Security-Policy' "default-src 'none'; style-src 'self' 'unsafe-inline'; object-src 'self' 'unsafe-inline'; img-src 'self' data:;";
|
||||
include snippets/publik-gzip.conf;
|
||||
}
|
||||
|
||||
location /robots.txt {
|
||||
alias /var/lib/welco/www/robots.txt;
|
||||
}
|
||||
|
||||
location / {
|
||||
proxy_pass http://unix:/var/run/welco/welco.sock;
|
||||
proxy_set_header Host $http_host;
|
||||
proxy_set_header X-Forwarded-SSL on;
|
||||
proxy_set_header X-Forwarded-Protocol ssl;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
add_header 'X-Content-Type-Options' 'nosniff';
|
||||
add_header 'X-XSS-Protection' '1; mode=block';
|
||||
}
|
Loading…
Reference in New Issue