upstream django { server web:8000; } # ── Rate limiting ────────────────────────────────────────── # Zone globale : 10 req/s par IP limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s; # Zone stricte pour les formulaires : 2 req/min par IP limit_req_zone $binary_remote_addr zone=forms:10m rate=2r/m; # ── HTTP → HTTPS redirect ────────────────────────────────── server { listen 80; server_name jool-international.com www.jool-international.com; # Let's Encrypt challenge location /.well-known/acme-challenge/ { root /var/www/certbot; } location / { return 301 https://$host$request_uri; } } # ── HTTPS ────────────────────────────────────────────────── server { listen 443 ssl; http2 on; server_name jool-international.com www.jool-international.com; # ── SSL ──────────────────────────────────────────────── ssl_certificate /etc/letsencrypt/live/jool-international.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/jool-international.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # ── Sécurité générale ─────────────────────────────────── server_tokens off; # cache la version de Nginx client_max_body_size 10M; limit_req zone=global burst=20 nodelay; # rate limit global # ── Headers de sécurité ───────────────────────────────── add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' fonts.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.gstatic.com; img-src 'self' data:; frame-ancestors 'none';" always; # ── Fichiers statiques ────────────────────────────────── location /static/ { alias /app/staticfiles/; expires 30d; add_header Cache-Control "public, immutable"; access_log off; } # ── CVs uploadés : jamais accessibles en direct ───────── location /media/careers/cvs/ { deny all; return 404; } # ── Autres fichiers media ─────────────────────────────── location /media/ { alias /app/media/; expires 7d; add_header Cache-Control "public"; access_log off; } # ── Admin Django : rate limit strict ─────────────────── location /admin/ { limit_req zone=forms burst=5 nodelay; proxy_pass http://django; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; } # ── Formulaires (contact + candidature) ──────────────── location ~ ^/(contact|careers/.+/apply)/ { limit_req zone=forms burst=3 nodelay; proxy_pass http://django; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; proxy_read_timeout 60s; } # ── Application Django (général) ──────────────────────── location / { proxy_pass http://django; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; proxy_read_timeout 60s; } }