diff --git a/docker/nginx/Dockerfile b/docker/nginx/Dockerfile index 93012cd..9f5f8f1 100644 --- a/docker/nginx/Dockerfile +++ b/docker/nginx/Dockerfile @@ -1,5 +1,6 @@ FROM nginx:latest +COPY config/security.conf /etc/nginx/security.conf COPY config/nginx.conf /etc/nginx/nginx.conf COPY config/sites-available/* /etc/nginx/sites-available/ COPY docker-entrypoint.sh /entrypoint.sh diff --git a/docker/nginx/config/nginx.conf b/docker/nginx/config/nginx.conf index 0210f18..a73bafd 100644 --- a/docker/nginx/config/nginx.conf +++ b/docker/nginx/config/nginx.conf @@ -5,10 +5,28 @@ error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { - worker_connections 1024; + multi_accept on; + worker_connections 1024; } http { + log_not_found off; + server_tokens off; + tcp_nodelay on; + charset utf-8; + tcp_nopush on; + + resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; + resolver_timeout 2s; + + ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_stapling_verify on; + ssl_protocols TLSv1.3; + ssl_session_timeout 1d; + ssl_stapling on; + include /etc/nginx/mime.types; default_type application/octet-stream; @@ -35,7 +53,9 @@ http { gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; client_max_body_size 2M; + types_hash_max_size 2048; + include /etc/nginx/security.conf; include /etc/nginx/conf.d/*conf; include /etc/nginx/sites-enabled/*; } \ No newline at end of file diff --git a/docker/nginx/config/security.conf b/docker/nginx/config/security.conf new file mode 100644 index 0000000..4660da7 --- /dev/null +++ b/docker/nginx/config/security.conf @@ -0,0 +1,6 @@ +add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self'; object-src 'self'; frame-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests; reflected-xss block; referrer no-referrer" always; +add_header Referrer-Policy "no-referrer" always; +add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; +add_header X-XSS-Protection "1; mode=block" always; diff --git a/docker/nginx/config/sites-available/local.api.ideka.fr b/docker/nginx/config/sites-available/local.api.ideka.fr index efe33d6..5c1ecb7 100644 --- a/docker/nginx/config/sites-available/local.api.ideka.fr +++ b/docker/nginx/config/sites-available/local.api.ideka.fr @@ -21,6 +21,8 @@ server { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT $realpath_root; + fastcgi_buffers 8 16k; + fastcgi_buffer_size 32k; } # return 404 for all other php files not matching the front controller diff --git a/ideka.dist.env b/ideka.dist.env deleted file mode 100644 index 0bcda17..0000000 --- a/ideka.dist.env +++ /dev/null @@ -1,6 +0,0 @@ -MYSQL_ROOT_PASSWORD=ideka -MYSQL_USER=ideka -MYSQL_PASSWORD=ideka -MYSQL_DATABASE=ideka_api - -NGINX_ENABLED_VHOST=local.api.ideka.fr \ No newline at end of file