f4775366ef
Replace Dokploy runtime git clone with Dockerfile build to keep tokens out of the container, add nginx security headers and path whitelist, and scrub templates from the running image after HTML generation. Co-authored-by: Cursor <cursoragent@cursor.com>
59 lines
1.8 KiB
Plaintext
59 lines
1.8 KiB
Plaintext
server {
|
|
listen 80;
|
|
server_name _;
|
|
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;
|
|
gzip_min_length 1024;
|
|
|
|
# Block hidden files and sensitive extensions
|
|
location ~ /\. {
|
|
deny all;
|
|
return 404;
|
|
}
|
|
|
|
location ~* \.(sh|template|env|yml|yaml|md|git|bak|sql|log)$ {
|
|
deny all;
|
|
return 404;
|
|
}
|
|
|
|
# Main page
|
|
location = / {
|
|
try_files /index.html =404;
|
|
}
|
|
|
|
location = /index.html {
|
|
add_header Cache-Control "no-cache";
|
|
}
|
|
|
|
# Web app manifest
|
|
location = /site.webmanifest {
|
|
default_type application/manifest+json;
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
}
|
|
|
|
# Assets - long cache for images
|
|
location /assets/ {
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
try_files $uri =404;
|
|
}
|
|
|
|
# Everything else → 404 (no fallback to index.html)
|
|
location / {
|
|
return 404;
|
|
}
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.youtube.com https://www.gstatic.com; style-src 'self' 'unsafe-inline'; img-src 'self' https://img.youtube.com data:; frame-src https://www.youtube.com; connect-src 'self' https://www.youtube.com; base-uri 'self'; form-action 'none'; object-src 'none'; upgrade-insecure-requests;" always;
|
|
}
|