feat: Add trust resolver to nginx config

smswithoutborders · Mar 27, 2024 · 1c6e192 · 1c6e192
1 parent b12e978
commit 1c6e192
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 17 deletions.
diff --git a/.github/workflows/staging-deploy.yml b/.github/workflows/staging-deploy.yml
@@ -7,7 +7,9 @@ jobs:
   deploy:
     name: 🚀 Execute Deployment Script on Server
     runs-on: ubuntu-latest
-    environment: staging
+    environment:
+      name: staging
+      url: https://staging.smswithoutborders.com:18000
     steps:
       - name: 🚀 Execute Remote SSH Commands
         uses: appleboy/ssh-action@master

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -12,3 +12,4 @@ services:
     volumes:
       - ${SSL_CERTIFICATE_PATH:?err}:/etc/nginx/ssl/cert.pem
       - ${SSL_KEY_PATH:?err}:/etc/nginx/ssl/key.pem
+      - ${SSL_CHAIN_PATH:?err}:/etc/nginx/ssl/chain.pem
diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template
@@ -1,4 +1,3 @@
-# Server configuration
 server {
     listen 80;
     server_name {{SERVER_NAME}};
@@ -9,43 +8,36 @@ server {
     listen 443 ssl http2;
     server_name {{SERVER_NAME}};
 
-    # SSL configuration
     ssl_certificate /etc/nginx/ssl/cert.pem;
     ssl_certificate_key /etc/nginx/ssl/key.pem;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
     ssl_ecdh_curve secp384r1;
     ssl_session_cache shared:SSL:10m;
     ssl_session_tickets off;
     ssl_stapling on;
     ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/nginx/ssl/chain.pem;
     resolver 8.8.8.8 8.8.4.4 valid=300s;
     resolver_timeout 5s;
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-    add_header X-Frame-Options DENY;
-    add_header X-Content-Type-Options nosniff;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
     add_header X-XSS-Protection "1; mode=block";
-    add_header Referrer-Policy "no-referrer-when-downgrade";
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com;";
-
-    # Include additional security-related headers
-    add_header X-Frame-Options SAMEORIGIN;
+    add_header Referrer-Policy "strict-origin";
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com; frame-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; child-src 'self';";
+    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()";
+    add_header X-Frame-Options "SAMEORIGIN";
     add_header X-Content-Type-Options nosniff;
 
-    # Disable server tokens
     server_tokens off;
 
-    # Access and error logs
     access_log /var/log/nginx/access.log;
     error_log /var/log/nginx/error.log;
 
-    # Root and index
     root /usr/share/nginx/html;
     index index.html;
 
-    # Location block for static files
     location / {
-        try_files $uri $uri/ =404;
+        try_files $uri $uri/ /index.html;
     }
 }