PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-07 11:39:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
33987c9b1589085d029edbfd5bff37066303844b
xamxam/nginx/posterg.conf.reference.old
Théophile Gervreau-Mercier 942a93a3ad refactor: update nginx config for new structure 
- Updated posterg.conf with new directory structure
- Document root: /var/www/posterg/public
- Explicitly deny access to: /src, /templates, /config, /storage, /tests, /scripts, /docs
- Added structure diagram in comments
- Updated deploy scripts security checks
- Replaced outdated posterg.conf.reference

All non-public directories outside webroot for security.
Defense-in-depth: explicit deny rules even though paths outside /public.
2026-02-12 12:20:31 +01:00

284 lines
7.6 KiB
Plaintext
Raw Blame History

# Nginx configuration for Post-ERG thesis website
# Place this in /etc/nginx/sites-available/posterg
# Then symlink: ln -s /etc/nginx/sites-available/posterg /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
# Server block - HTTP (redirect to HTTPS in production)
server {
listen 80;
listen [::]:80;
server_name posterg.erg.be www.posterg.erg.be;
# Redirect all HTTP to HTTPS (uncomment in production)
# return 301 https://$server_name$request_uri;
# For development/testing, allow HTTP
root /var/www/html;
index index.php index.html;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens
server_tokens off;
# Max upload size (for thesis files)
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn;
# Block common attack patterns
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ {
deny all;
}
# Deny access to shared/ directory (PHP includes only)
location /shared/ {
deny all;
}
# Deny access to tests directory
location /tests/ {
deny all;
}
# Deny access to cache directory
location /cache/ {
deny all;
}
# Admin panel - password protected
location /formulaire/ {
alias /var/www/html/formulaire/;
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;
# PHP handling
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Additional security for admin
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Search endpoint - rate limiting
location /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# Public PHP files
location ~ \.php$ {
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Root location
location / {
try_files $uri $uri/ =404;
}
# Deny access to specific file types in data directories
location ~* /data/.*\.(php|sh|py)$ {
deny all;
}
}
# Server block - HTTPS (production)
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name posterg.erg.be www.posterg.erg.be;
root /var/www/html;
index index.php index.html;
# SSL certificates (Let's Encrypt)
# Run: certbot --nginx -d posterg.erg.be -d www.posterg.erg.be
ssl_certificate /etc/letsencrypt/live/posterg.erg.be/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/posterg.erg.be/privkey.pem;
# SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers (HTTPS)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Disable server tokens
server_tokens off;
# Max upload size
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_ssl_access.log;
error_log /var/log/nginx/posterg_ssl_error.log warn;
# Block common attack patterns
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
location ~ \.(git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json)$ {
deny all;
}
# Deny access to database files
location ~* \.db$ {
deny all;
}
# Deny access to shared/ directory
location /shared/ {
deny all;
}
# Deny access to tests directory
location /tests/ {
deny all;
}
# Deny access to cache directory
location /cache/ {
deny all;
}
# Admin panel - password protected
location /formulaire/ {
alias /var/www/html/formulaire/;
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting
limit_req zone=admin burst=5 nodelay;
# PHP handling
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
fastcgi_param SCRIPT_FILENAME $request_filename;
}
# Security headers
add_header X-Robots-Tag "noindex, nofollow" always;
}
# Search endpoint - rate limiting
location /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
}
# Public PHP files
location ~ \.php$ {
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
fastcgi_param PHP_ADMIN_VALUE "open_basedir=/var/www/html:/tmp";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Root location
location / {
try_files $uri $uri/ =404;
}
# Deny access to script files in data directories
location ~* /data/.*\.(php|sh|py)$ {
deny all;
}
}
Reference in New Issue View Git Blame Copy Permalink