PostERG/xamxam
1
0
Fork 0
mirror of https://codeberg.org/PostERG/xamxam.git synced 2026-05-06 11:09:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
d2b3c6ca67119b73d49555dd6f2e4a9ce87ccf19
xamxam/nginx/posterg.conf
Théophile Gervreau-Mercier f23fbb481b Nginx config, working deploy, basic theme, repo cleanup
2026-02-05 17:37:07 +01:00

141 lines
3.9 KiB
Plaintext
Raw Blame History

# Nginx configuration for Post-ERG thesis website (Production)
# Based on existing default config with security enhancements
# Place this in /etc/nginx/sites-available/posterg
# Rate limiting zones
limit_req_zone $binary_remote_addr zone=general:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=search:10m rate=30r/m;
limit_req_zone $binary_remote_addr zone=admin:10m rate=10r/m;
# Main server block
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name posterg.erg.be www.posterg.erg.be;
root /var/www/html;
# Add index.php to the list
index index.php index.html index.htm;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
# Server tokens already disabled in nginx.conf
# server_tokens off;
# Max upload size (for thesis files)
client_max_body_size 100M;
client_body_timeout 120s;
# Logging
access_log /var/log/nginx/posterg_access.log;
error_log /var/log/nginx/posterg_error.log warn;
# Block access to hidden files (except .well-known for Let's Encrypt)
location ~ /\.(?!well-known).* {
deny all;
access_log off;
log_not_found off;
}
# Deny access to sensitive files
location ~* \.(md|txt|sql|sh|json|gitignore)$ {
deny all;
}
# Deny access to database directory
location ^~ /database/ {
deny all;
}
# Deny access to shared/ directory (PHP includes only)
location ^~ /shared/ {
deny all;
}
# Deny access to data directory
location ^~ /data/ {
deny all;
}
# Admin panel - password protected
location ^~ /formulaire/ {
# HTTP Basic Authentication
auth_basic "Admin Access - Post-ERG";
auth_basic_user_file /etc/nginx/.htpasswd-posterg;
# Rate limiting for admin
limit_req zone=admin burst=5 nodelay;
# Allow access to public assets without authentication
location ~ ^/formulaire/(css|js|images)/ {
auth_basic off;
}
# PHP handling for admin
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
}
# Additional security headers for admin
add_header X-Robots-Tag "noindex, nofollow" always;
# Try to serve file, otherwise 404
try_files $uri $uri/ =404;
}
# Search endpoint - rate limiting
location = /search.php {
limit_req zone=search burst=10 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
}
# PHP files handler
location ~ \.php$ {
# Rate limiting for general PHP requests
limit_req zone=general burst=20 nodelay;
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock;
# Security parameters
fastcgi_param PHP_VALUE "upload_max_filesize=50M \n post_max_size=100M";
# Timeouts
fastcgi_read_timeout 120;
fastcgi_send_timeout 120;
}
# Static files caching
location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|otf)$ {
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# PDF files (thesis documents)
location ~* \.pdf$ {
expires 7d;
add_header Cache-Control "public";
add_header Content-Disposition "inline";
}
# Root location - try files or 404
location / {
try_files $uri $uri/ =404;
}
# Deny access to .htaccess files (if Apache's document root concurs with nginx's)
location ~ /\.ht {
deny all;
}
}
Reference in New Issue View Git Blame Copy Permalink