# Nginx configuration for Post-ERG thesis website (Production) # Place this in /etc/nginx/sites-available/posterg # Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/ # Rate limiting zones limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m; limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m; # Admin: already protected by HTTP Basic Auth; rate limiting here only guards # against brute-force on the auth layer, not normal browsing. # 60r/m = 1r/s sustained, burst=20 covers rapid page navigation. limit_req_zone $binary_remote_addr zone=admin:10m rate=60r/m; # Main server block server { listen 80 default_server; listen [::]:80 default_server; server_name posterg.erg.be www.posterg.erg.be; # Document root points to /public (only web-accessible files) # Deployed structure: /var/www/posterg/ # /public - Web root ← THIS DIRECTORY # /admin - Admin interface # /assets - CSS, fonts, icons # /src - PHP source classes (outside webroot) # /storage - SQLite databases (outside webroot) # /templates - PHP templates (outside webroot) # /tests - Test suites (outside webroot) # /bootstrap.php - Application entry point # /router.php - Dev server URL rewriter root /var/www/posterg/public; # Add index.php to the list index index.php index.html index.htm; # Security headers add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; # X-XSS-Protection intentionally omitted — deprecated and counterproductive in modern browsers. # CSP (Content-Security-Policy) is the correct mitigation. add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; # Server tokens already disabled in nginx.conf # server_tokens off; # Max upload size (for thesis files) client_max_body_size 100M; client_body_timeout 120s; # Logging access_log /var/log/nginx/posterg_access.log; error_log /var/log/nginx/posterg_error.log warn; # Block access to hidden files (except .well-known for Let's Encrypt) location ~ /\.(?!well-known).* { deny all; access_log off; log_not_found off; } # Deny access to sensitive files and extensions location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ { deny all; access_log off; log_not_found off; } # Deny access to SQLite database files location ~* \.db$ { deny all; access_log off; log_not_found off; } # Deny access to log files location ~* \.log$ { deny all; access_log off; log_not_found off; } # Deny access to directories outside webroot (defense-in-depth) # These paths shouldn't be accessible anyway since they're outside /public # but we deny explicitly for additional security location ^~ /storage/ { deny all; } location ^~ /src/ { deny all; } location ^~ /templates/ { deny all; } location ^~ /config/ { deny all; } location ^~ /tests/ { deny all; } location ^~ /scripts/ { deny all; } location ^~ /docs/ { deny all; } # Admin panel - password protected location ^~ /admin/ { # HTTP Basic Authentication (first layer) auth_basic "Admin Access - Post-ERG"; auth_basic_user_file /etc/nginx/.htpasswd-posterg; # Rate limiting for admin limit_req zone=admin burst=20 nodelay; # Content-Security-Policy - Admin policy # script-src needs 'unsafe-inline' for the OverType editor init block # and the live-reload poller (dev only). Admin is already auth-gated. add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always; # Disable directory listing autoindex off; # PHP handling for admin (AdminAuth provides second layer) location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; # Security parameters fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M"; # Timeouts fastcgi_read_timeout 120; fastcgi_send_timeout 120; } # Additional security headers for admin add_header X-Robots-Tag "noindex, nofollow" always; # Try to serve file, otherwise 404 try_files $uri $uri/ =404; } # Share-link (partage) — rewrite pretty URLs to index.php location /partage/ { try_files $uri /partage/index.php$is_args$args; } # Search endpoint - rate limiting location = /search.php { limit_req zone=search burst=10 nodelay; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; } # PHP files handler (public pages) location ~ \.php$ { # Rate limiting for general PHP requests limit_req zone=general burst=20 nodelay; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; # Security parameters fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M"; # Timeouts fastcgi_read_timeout 120; fastcgi_send_timeout 120; } # Static files caching location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ { expires 30d; add_header Cache-Control "public, immutable"; access_log off; } # PDF files (thesis documents) location ~* \.pdf$ { expires 7d; add_header Cache-Control "public"; add_header Content-Disposition "inline"; } # Silence favicon.ico 404s — browsers that ignore still request this location = /favicon.ico { return 204; access_log off; log_not_found off; } # Root location - try files or 404 location / { try_files $uri $uri/ =404; } # Deny access to .htaccess files location ~ /\.ht { deny all; } }