azer · October 27, 2024 07:37
diff --git a/nginx_default.conf b/nginx_default.conf
 # Rate limiting zones
 limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
 limit_conn_zone $binary_remote_addr zone=addr:10m;

 server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /home/$USER/dev/www/default;
    index index.html index.htm;

    server_name _;

    # Prevent information disclosure
    server_tokens off;

    # Redirect handling
    absolute_redirect off;
    port_in_redirect off;
    server_name_in_redirect off;

    # Security headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Default character set
    charset utf-8;

    # Error pages
    error_page 404 /404.html;
    error_page 500 502 503 504 /50x.html;

    # Root location
    location = / {
        index index.html;
    }

    # Handle static files
    location ~* \.(jpg|jpeg|png|gif|ico|css|js|svg|woff|woff2|ttf|eot)$ {
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }

    # Deny access to hidden files
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # Main location block
    location / {
        try_files $uri $uri/ =404;

        # Basic DoS protection
        limit_req zone=one burst=10 nodelay;
        limit_conn addr 10;
    }
 }
	# Rate limiting zones
	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
	limit_conn_zone $binary_remote_addr zone=addr:10m;

	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /home/$USER/dev/www/default;
	index index.html index.htm;

	server_name _;

	# Prevent information disclosure
	server_tokens off;

	# Redirect handling
	absolute_redirect off;
	port_in_redirect off;
	server_name_in_redirect off;

	# Security headers
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header Referrer-Policy "strict-origin-when-cross-origin" always;
	add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	# Default character set
	charset utf-8;

	# Error pages
	error_page 404 /404.html;
	error_page 500 502 503 504 /50x.html;

	# Root location
	location = / {
	index index.html;
	}

	# Handle static files
	location ~* \.(jpg\|jpeg\|png\|gif\|ico\|css\|js\|svg\|woff\|woff2\|ttf\|eot)$ {
	expires 30d;
	add_header Cache-Control "public, no-transform";
	}

	# Deny access to hidden files
	location ~ /\. {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Main location block
	location / {
	try_files $uri $uri/ =404;

	# Basic DoS protection
	limit_req zone=one burst=10 nodelay;
	limit_conn addr 10;
	}
	}