41 lines
1.2 KiB
Plaintext
41 lines
1.2 KiB
Plaintext
# /https_portal/config/custom_nginx.conf
|
|
server {
|
|
listen 80;
|
|
server_name yuri.phx-erp.de;
|
|
|
|
# Rate limiting
|
|
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
|
|
|
|
# Global security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
|
|
|
# Enable DDoS protection
|
|
client_body_timeout 10s;
|
|
client_header_timeout 10s;
|
|
keepalive_timeout 5s 5s;
|
|
send_timeout 10s;
|
|
|
|
# IP blocking for repeated failed attempts
|
|
geo $bad_user {
|
|
default 0;
|
|
include /etc/nginx/conf.d/blocked_ips.conf;
|
|
}
|
|
|
|
# Block suspicious requests
|
|
map $http_user_agent $bad_bot {
|
|
default 0;
|
|
~*(curl|wget|python|nikto|sqlmap) 1;
|
|
}
|
|
|
|
location / {
|
|
proxy_pass http://phoenix-app;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
} |