fossilfranv/monica
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Improve nginx conf examples (#6)

Browse Source
This commit is contained in:
Alexis Saettler 2020-04-07 22:17:09 +02:00 committed by GitHub
parent 0fcecb3097
commit 65eb5f5758
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 176 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.examples/nginx-proxy-self-signed-ssl/docker-compose.yml
View File

@ -115,13 +115,9 @@ services:
volumes:
data:
name: data
www:
name: www
db:
name: db
certs:
name: certs
networks:
proxy-tier:

54
.examples/nginx-proxy-self-signed-ssl/web/nginx.conf
View File

@ -3,12 +3,10 @@ worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
@ -29,8 +27,7 @@ http {
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
#gzip on;
# Connect to app service
upstream php-handler {
server app:9000;
}
@ -40,13 +37,24 @@ http {
server_name monica;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/public;
@ -66,7 +74,7 @@ http {
error_page 404 500 502 503 504 /index.php;
location = /.well-known/(?:carddav|caldav) {
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
@ -117,6 +125,23 @@ http {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
@ -127,5 +152,10 @@ http {
# Optional: Don't log access to assets
access_log off;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
}

6
.examples/nginx-proxy/docker-compose.yml
View File

@ -117,17 +117,11 @@ services:
volumes:
data:
name: data
www:
name: www
mysql:
name: mysql
certs:
name: certs
vhost.d:
name: vhost.d
html:
name: html
networks:
proxy-tier:

54
.examples/nginx-proxy/web/nginx.conf
View File

@ -3,12 +3,10 @@ worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
@ -29,8 +27,7 @@ http {
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
#gzip on;
# Connect to app service
upstream php-handler {
server app:9000;
}
@ -40,13 +37,24 @@ http {
server_name monica;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/public;
@ -66,7 +74,7 @@ http {
error_page 404 500 502 503 504 /index.php;
location = /.well-known/(?:carddav|caldav) {
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
@ -117,6 +125,23 @@ http {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
@ -127,5 +152,10 @@ http {
# Optional: Don't log access to assets
access_log off;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
}

3
.examples/supervisor/apache/docker-compose.yml
View File

@ -26,8 +26,5 @@ services:
volumes:
data:
name: data
www:
name: www
mysql:
name: mysql

3
.examples/supervisor/fpm-alpine/docker-compose.yml
View File

@ -35,8 +35,5 @@ services:
volumes:
data:
name: data
www:
name: www
mysql:
name: mysql

57
.examples/supervisor/fpm-alpine/web/nginx.conf
View File

@ -3,12 +3,10 @@ worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
@ -24,8 +22,12 @@ http {
keepalive_timeout 65;
#gzip on;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
# Connect to app service
upstream php-handler {
server app:9000;
}
@ -35,13 +37,24 @@ http {
server_name monica;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/public;
@ -61,7 +74,7 @@ http {
error_page 404 500 502 503 504 /index.php;
location = /.well-known/(?:carddav|caldav) {
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
@ -112,6 +125,23 @@ http {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
@ -122,5 +152,10 @@ http {
# Optional: Don't log access to assets
access_log off;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
}

3
.examples/supervisor/fpm/docker-compose.yml
View File

@ -35,8 +35,5 @@ services:
volumes:
data:
name: data
www:
name: www
mysql:
name: mysql

57
.examples/supervisor/fpm/web/nginx.conf
View File

@ -3,12 +3,10 @@ worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
@ -24,8 +22,12 @@ http {
keepalive_timeout 65;
#gzip on;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
real_ip_header X-Real-IP;
# Connect to app service
upstream php-handler {
server app:9000;
}
@ -35,13 +37,24 @@ http {
server_name monica;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header Referrer-Policy no-referrer;
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
root /var/www/html/public;
@ -61,7 +74,7 @@ http {
error_page 404 500 502 503 504 /index.php;
location = /.well-known/(?:carddav|caldav) {
location ~ /\.well-known/(?:carddav|caldav) {
return 301 $scheme://$host/dav;
}
location = /.well-known/security.txt {
@ -112,6 +125,23 @@ http {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463";
## HSTS ##
# Add the 'Strict-Transport-Security' headers to enable HSTS protocol.
# Note it is intended to have those duplicated to the ones above.
# WARNING: Only add the preload option once you read about the consequences: https://hstspreload.org/.
# This form will add the domain to a hardcoded list that is shipped in all major browsers and getting
# removed from this list could take several months.
#
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Optional: Don't log access to assets
access_log off;
}
@ -122,5 +152,10 @@ http {
# Optional: Don't log access to assets
access_log off;
}
# deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
}