isracool/JooL_website
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4a5cea4a7fd7b59c9d437e504fc038c592cac625
JooL_website/nginx/nginx.conf
ifaryd 4a5cea4a7f Config docker
2026-05-15 11:20:16 +00:00

114 lines
4.9 KiB
Nginx Configuration File
Raw Blame History

upstream django {
server web:8000;
}
# ── Rate limiting ──────────────────────────────────────────
# Zone globale : 10 req/s par IP
limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s;
# Zone stricte pour les formulaires : 2 req/min par IP
limit_req_zone $binary_remote_addr zone=forms:10m rate=2r/m;
# ── HTTP → HTTPS redirect ──────────────────────────────────
server {
listen 80;
server_name jool-international.com www.jool-international.com;
# Let's Encrypt challenge
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
# ── HTTPS ──────────────────────────────────────────────────
server {
listen 443 ssl;
http2 on;
server_name jool-international.com www.jool-international.com;
# ── SSL ────────────────────────────────────────────────
ssl_certificate /etc/letsencrypt/live/jool-international.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/jool-international.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# ── Sécurité générale ───────────────────────────────────
server_tokens off; # cache la version de Nginx
client_max_body_size 10M;
limit_req zone=global burst=20 nodelay; # rate limit global
# ── Headers de sécurité ─────────────────────────────────
add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "DENY" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
add_header Content-Security-Policy
"default-src 'self';
script-src 'self' 'unsafe-inline' fonts.googleapis.com;
style-src 'self' 'unsafe-inline' fonts.googleapis.com;
font-src 'self' fonts.gstatic.com;
img-src 'self' data:;
frame-ancestors 'none';"
always;
# ── Fichiers statiques ──────────────────────────────────
location /static/ {
alias /app/staticfiles/;
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# ── CVs uploadés : jamais accessibles en direct ─────────
location /media/careers/cvs/ {
deny all;
return 404;
}
# ── Autres fichiers media ───────────────────────────────
location /media/ {
alias /app/media/;
expires 7d;
add_header Cache-Control "public";
access_log off;
}
# ── Admin Django : rate limit strict ───────────────────
location /admin/ {
limit_req zone=forms burst=5 nodelay;
proxy_pass http://django;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
# ── Formulaires (contact + candidature) ────────────────
location ~ ^/(contact|careers/.+/apply)/ {
limit_req zone=forms burst=3 nodelay;
proxy_pass http://django;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_read_timeout 60s;
}
# ── Application Django (général) ────────────────────────
location / {
proxy_pass http://django;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
proxy_read_timeout 60s;
}
}
Reference in New Issue View Git Blame Copy Permalink