AtaraxiaDev/nixos-config
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

update nginx headers

Browse Source
This commit is contained in:
Dmitriy Kholkin 2022-05-18 01:23:15 +03:00
parent db7ce86b7e
commit d05cafd08a
1 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
profiles/servers/nginx.nix
View File

@ -46,8 +46,12 @@
clientMaxBodySize = "250m";
commonHttpConfig = ''
proxy_hide_header X-Frame-Options;
proxy_hide_header content-security-policy;
add_header X-Frame-Options "ALLOW-FROM https://organizr.ataraxiadev.com";
proxy_hide_header Content-Security-Policy;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com moz-extension://43a2224f-fe82-45d7-bdc3-c218984e73c8";
add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
'';
virtualHosts = let
default = {
@ -68,7 +72,7 @@
hardened = {
extraConfig = ''
add_header X-XSS-Protection "1; mode=block";
# add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "frame-ancestors 'self' https://*.ataraxiadev.com";
add_header X-Robots-Tag "none";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Content-Type-Options "nosniff";
@ -82,6 +86,19 @@
proxy_set_header X-Forwarded-For $remote_addr;
'';
};
locations."/" = {
extraConfig = "try_files $uri $uri/ =404;";
};
locations."/cgi-bin/" = with config.services; {
extraConfig = ''
gzip off;
root /srv/http/ataraxiadev.com;
fastcgi_pass ${fcgiwrap.socketType}:${fcgiwrap.socketAddress};
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
'';
};
} // default;
"matrix:443" = {
serverAliases = [
@ -190,5 +207,11 @@
};
};
services.fcgiwrap = {
enable = true;
user = config.services.nginx.user;
group = config.services.nginx.group;
};
networking.firewall.allowedTCPPorts = [ 80 443 8448 ];
}