diff --git a/.github/workflows/staging-deploy.yml b/.github/workflows/staging-deploy.yml index ef0564d..cab4799 100644 --- a/.github/workflows/staging-deploy.yml +++ b/.github/workflows/staging-deploy.yml @@ -7,7 +7,9 @@ jobs: deploy: name: 🚀 Execute Deployment Script on Server runs-on: ubuntu-latest - environment: staging + environment: + name: staging + url: https://staging.smswithoutborders.com:18000 steps: - name: 🚀 Execute Remote SSH Commands uses: appleboy/ssh-action@master diff --git a/docker-compose.yml b/docker-compose.yml index fdab687..12c0954 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,3 +12,4 @@ services: volumes: - ${SSL_CERTIFICATE_PATH:?err}:/etc/nginx/ssl/cert.pem - ${SSL_KEY_PATH:?err}:/etc/nginx/ssl/key.pem + - ${SSL_CHAIN_PATH:?err}:/etc/nginx/ssl/chain.pem diff --git a/nginx/nginx.conf.template b/nginx/nginx.conf.template index 5b12444..eb0babf 100644 --- a/nginx/nginx.conf.template +++ b/nginx/nginx.conf.template @@ -1,4 +1,3 @@ -# Server configuration server { listen 80; server_name {{SERVER_NAME}}; @@ -9,43 +8,36 @@ server { listen 443 ssl http2; server_name {{SERVER_NAME}}; - # SSL configuration ssl_certificate /etc/nginx/ssl/cert.pem; ssl_certificate_key /etc/nginx/ssl/key.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; + ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; + ssl_trusted_certificate /etc/nginx/ssl/chain.pem; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; - add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; - add_header X-Frame-Options DENY; - add_header X-Content-Type-Options nosniff; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "no-referrer-when-downgrade"; - add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com;"; - - # Include additional security-related headers - add_header X-Frame-Options SAMEORIGIN; + add_header Referrer-Policy "strict-origin"; + add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://cdnjs.cloudflare.com; style-src 'self' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https://www.google-analytics.com; connect-src 'self' https://www.google-analytics.com; frame-src 'none'; base-uri 'self'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; child-src 'self';"; + add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"; + add_header X-Frame-Options "SAMEORIGIN"; add_header X-Content-Type-Options nosniff; - # Disable server tokens server_tokens off; - # Access and error logs access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; - # Root and index root /usr/share/nginx/html; index index.html; - # Location block for static files location / { - try_files $uri $uri/ =404; + try_files $uri $uri/ /index.html; } }