PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-06-25 16:19:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
84869ad9681136b4e925a3925556cc0979df7740
xamxam/nginx/xamxam.conf

265 lines
9.1 KiB
Plaintext
Raw Blame History

# Nginx configuration for XAMXAM thesis website (Production)
# Place this in /etc/nginx/sites-available/xamxam
# Then symlink: ln -s /etc/nginx/sites-available/xamxam /etc/nginx/sites-enabled/
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
# Admin: already protected by HTTP Basic Auth; rate limiting here only guards
# against brute-force on the auth layer, not normal browsing.
# Contenu.php triggers ~12 concurrent HTMX GETs on page load, so we need a
# generous burst. 300r/m = 5r/s sustained, burst=30 handles all fragments
# without dropping any, while still limiting brute-force attempts.
limit_req_zone $binary_remote_addr zone=admin:10m rate=300r/m;
# Main server block
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name xamxam.erg.be www.xamxam.erg.be;
# Document root points to /public (only web-accessible files)
# Deployed structure: /var/www/xamxam/
# /public - Web root ← THIS DIRECTORY
# /admin - Admin interface
# /assets - CSS, fonts, icons
# /src - PHP source classes (outside webroot)
# /storage - SQLite databases (outside webroot)
# /templates - PHP templates (outside webroot)
# /tests - Test suites (outside webroot)
# /bootstrap.php - Application entry point
# /router.php - Dev server URL rewriter
root /var/www/xamxam/public;
# Add index.php to the list
index index.php index.html index.htm;
# ── Compression ─────────────────────────────────────────────────────
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 256;
gzip_types
text/plain
text/css
text/javascript
application/javascript
application/json
application/xml
text/xml
image/svg+xml
application/x-font-ttf
font/opentype;
# Security headers
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
add_header Cross-Origin-Opener-Policy "same-origin" always;
add_header Cross-Origin-Resource-Policy "same-origin" always;
# Server tokens already disabled in nginx.conf
# server_tokens off;
# Max upload size (for thesis files — can include video)
client_max_body_size 8192M;
client_body_timeout 600s;
# Logging
access_log /var/log/nginx/xamxam_access.log;
error_log /var/log/nginx/xamxam_error.log warn;
# Block access to hidden files (except .well-known for Let's Encrypt)
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files and extensions
location ~* \.(md|txt|sql|sh|json|gitignore|git|env|db-journal)$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to SQLite database files
location ~* \.db$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to log files
location ~* \.log$ {
deny all;
access_log off;
log_not_found off;
}
# Deny access to directories outside webroot (defense-in-depth)
# These paths shouldn't be accessible anyway since they're outside /public
# but we deny explicitly for additional security
location ^~ /storage/ {
deny all;
}
location ^~ /src/ {
deny all;
}
location ^~ /templates/ {
deny all;
}
location ^~ /config/ {
deny all;
}
location ^~ /tests/ {
deny all;
}
location ^~ /scripts/ {
deny all;
}
location ^~ /docs/ {
deny all;
}
# Admin panel - password protected at the PHP layer (AdminAuth)
location ^~ /admin/ {
# Rate limiting for admin
# 300r/m rate + burst=30 allows all concurrent HTMX fragments (up to ~12
# on contenus.php) while still capping brute-force at 5 req/s sustained.
limit_req zone=admin burst=30 nodelay;
# Content-Security-Policy - Admin policy
# script-src needs 'unsafe-inline' for the OverType editor init block
# and the live-reload poller (dev only). Admin is already auth-gated.
# 'unsafe-eval' is required by htmx (uses Function() internally).
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';" always;
# Disable directory listing
autoindex off;
# PHP handling for admin (AdminAuth provides auth layer)
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters (must be <= client_max_body_size)
fastcgi_param PHP_VALUE "upload_max_filesize=8192M \n post_max_size=8192M";
# Timeouts
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
}
# Additional security headers for admin
add_header X-Robots-Tag "noindex, nofollow" always;
# Try to serve file, otherwise 404
try_files $uri $uri/ =404;
}
# Share-link (partage) — handled by front controller
location /partage/ {
# Serve PHP fragments directly
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
fastcgi_param PHP_VALUE "upload_max_filesize=8192M \n post_max_size=8192M";
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
}
try_files $uri /index.php$is_args$args;
}
# /media — served by front controller (MediaController validates + streams)
# Override frame-ancestors to 'self' so Firefox's built-in PDF viewer
# can display PDFs inline (Firefox uses an internal iframe for PDF.js).
# Direct fastcgi_pass to /index.php (no try_files) so add_header survives —
# try_files triggers an internal redirect to location = /index.php, which
# loses this CSP override and inherits the server-block frame-ancestors 'none'.
location = /media {
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'self';" always;
# Direct fastcgi_pass to /index.php (no try_files) so add_header survives.
# We can't use snippets/fastcgi-php.conf because its try_files
# $fastcgi_script_name =404 would fail — $fastcgi_script_name is /media
# (no .php extension). Include fastcgi.conf directly instead.
include fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root/index.php;
fastcgi_param SCRIPT_NAME /index.php;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
fastcgi_param PHP_VALUE "upload_max_filesize=8192M \n post_max_size=8192M";
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
}
# /live-reload — served by front controller
location = /live-reload {
try_files $uri /index.php$is_args$args;
}
# Maintenance page
location = /maintenance {
try_files $uri /index.php$is_args$args;
}
# Front controller — all PHP requests routed through index.php
location = /index.php {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters (must be <= client_max_body_size)
fastcgi_param PHP_VALUE "upload_max_filesize=8192M \n post_max_size=8192M";
# Timeouts
fastcgi_read_timeout 600;
fastcgi_send_timeout 600;
}
# All other clean URLs — fall through to front controller
location / {
try_files $uri $uri/ /index.php$is_args$args;
}
# Block all other direct PHP access (security)
location ~ \.php$ {
deny all;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# PDF files (thesis documents)
location ~* \.pdf$ {
expires 7d;
add_header Cache-Control "public";
add_header Content-Disposition "inline";
}
# Silence favicon.ico 404s
location = /favicon.ico {
return 204;
access_log off;
log_not_found off;
}
# Deny access to .htaccess files
location ~ /\.ht {
deny all;
}
}
Reference in New Issue View Git Blame Copy Permalink