First commit

This commit is contained in:
2026-05-28 23:43:20 +02:00
commit 86cd7854c2
49 changed files with 8504 additions and 0 deletions
+90
View File
@@ -0,0 +1,90 @@
# Configuration nginx pour LOGIS
# Copier dans : /etc/nginx/sites-available/logis
# Puis : ln -s /etc/nginx/sites-available/logis /etc/nginx/sites-enabled/
# SSL fourni par : certbot --nginx -d your-domain.com
# Rate-limit sur le formulaire de contact : 10 requêtes/min par IP
limit_req_zone $binary_remote_addr zone=contact:10m rate=10r/m;
# Redirection HTTP → HTTPS
server {
listen 80;
listen [::]:80;
server_name your-domain.com;
location /.well-known/acme-challenge/ {
root /var/www/html;
}
location / {
return 301 https://$host$request_uri;
}
}
# Serveur HTTPS principal
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name your-domain.com;
# Certificats SSL (générés par certbot)
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# Sécurité des en-têtes
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff always;
add_header X-Frame-Options DENY always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Taille max des uploads (photos haute résolution)
client_max_body_size 25M;
# Fichiers statiques servis directement par nginx
location /static/ {
alias /path/to/LOGIS/staticfiles/;
expires 30d;
add_header Cache-Control "public, immutable";
access_log off;
}
# Fichiers médias (photos uploadées)
location /media/ {
alias /path/to/LOGIS/media/;
expires 7d;
add_header Cache-Control "public";
access_log off;
}
# Scans automatiques — drop silencieux (pas de réponse)
location ~* \.(php|asp|aspx|jsp|cgi|pl|sh|bash|env|git|svn|htaccess)$ {
return 444;
}
location ~* ^/(cgi-bin|vendor|phpunit|Autodiscover|autodiscover|wp-admin|wp-login|phpmyadmin|admin\.php|xmlrpc\.php|shell|config|\.well-known/(?!acme)) {
return 444;
}
# Rate-limit sur l'endpoint de contact (fr + en)
location ~* ^/(en/)?contact/ {
limit_req zone=contact burst=5 nodelay;
proxy_pass http://127.0.0.1:8091;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# Proxy vers Gunicorn (port 8091)
location / {
proxy_pass http://127.0.0.1:8091;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 120s;
proxy_buffering on;
}
}