update docker demo server
This commit is contained in:
@@ -61,10 +61,8 @@ services:
|
|||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
ports:
|
ports:
|
||||||
- "8082:80"
|
- "8082:80"
|
||||||
- "8444:443"
|
|
||||||
volumes:
|
volumes:
|
||||||
- ./docker/nginx-proxy.conf:/etc/nginx/nginx.conf:ro
|
- ./docker/nginx-proxy.conf:/etc/nginx/nginx.conf:ro
|
||||||
- ssl_certificates:/etc/nginx/ssl:ro
|
|
||||||
- certbot_www:/var/www/certbot:ro
|
- certbot_www:/var/www/certbot:ro
|
||||||
- nginx_logs:/var/log/nginx
|
- nginx_logs:/var/log/nginx
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|||||||
@@ -104,78 +104,4 @@ http {
|
|||||||
deny all;
|
deny all;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
# HTTPS server configuration
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name bengkel.digitaloasis.xyz www.bengkel.digitaloasis.xyz _;
|
|
||||||
|
|
||||||
# SSL configuration
|
|
||||||
ssl_certificate /etc/nginx/ssl/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
|
|
||||||
|
|
||||||
# Modern SSL configuration
|
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
|
||||||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384;
|
|
||||||
ssl_prefer_server_ciphers off;
|
|
||||||
ssl_session_cache shared:SSL:10m;
|
|
||||||
ssl_session_timeout 10m;
|
|
||||||
|
|
||||||
# Security headers
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
||||||
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
||||||
add_header X-Content-Type-Options "nosniff" always;
|
|
||||||
add_header X-XSS-Protection "1; mode=block" always;
|
|
||||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
||||||
|
|
||||||
# Proxy settings
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header X-Forwarded-Host $server_name;
|
|
||||||
proxy_set_header X-Forwarded-Port $server_port;
|
|
||||||
|
|
||||||
# Handle static files
|
|
||||||
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
|
|
||||||
proxy_pass http://app;
|
|
||||||
expires 1y;
|
|
||||||
add_header Cache-Control "public, immutable";
|
|
||||||
}
|
|
||||||
|
|
||||||
# Rate limiting for login endpoints
|
|
||||||
location ~ ^/(login|register|password) {
|
|
||||||
limit_req zone=login burst=5 nodelay;
|
|
||||||
proxy_pass http://app;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Rate limiting for API endpoints
|
|
||||||
location /api/ {
|
|
||||||
limit_req zone=api burst=20 nodelay;
|
|
||||||
proxy_pass http://app;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Main application
|
|
||||||
location / {
|
|
||||||
proxy_pass http://app;
|
|
||||||
proxy_read_timeout 300;
|
|
||||||
proxy_connect_timeout 300;
|
|
||||||
proxy_send_timeout 300;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Health check endpoint
|
|
||||||
location /health {
|
|
||||||
access_log off;
|
|
||||||
proxy_pass http://app;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Block access to sensitive files
|
|
||||||
location ~ /\. {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ ^/(storage|bootstrap/cache) {
|
|
||||||
deny all;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user