First commit
This commit is contained in:
@@ -0,0 +1,90 @@
|
||||
# Configuration nginx pour LOGIS
|
||||
# Copier dans : /etc/nginx/sites-available/logis
|
||||
# Puis : ln -s /etc/nginx/sites-available/logis /etc/nginx/sites-enabled/
|
||||
# SSL fourni par : certbot --nginx -d your-domain.com
|
||||
|
||||
# Rate-limit sur le formulaire de contact : 10 requêtes/min par IP
|
||||
limit_req_zone $binary_remote_addr zone=contact:10m rate=10r/m;
|
||||
|
||||
# Redirection HTTP → HTTPS
|
||||
server {
|
||||
listen 80;
|
||||
listen [::]:80;
|
||||
server_name your-domain.com;
|
||||
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/html;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
# Serveur HTTPS principal
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
server_name your-domain.com;
|
||||
|
||||
# Certificats SSL (générés par certbot)
|
||||
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
|
||||
include /etc/letsencrypt/options-ssl-nginx.conf;
|
||||
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
||||
|
||||
# Sécurité des en-têtes
|
||||
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
||||
add_header X-Content-Type-Options nosniff always;
|
||||
add_header X-Frame-Options DENY always;
|
||||
add_header X-XSS-Protection "1; mode=block" always;
|
||||
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||
|
||||
# Taille max des uploads (photos haute résolution)
|
||||
client_max_body_size 25M;
|
||||
|
||||
# Fichiers statiques servis directement par nginx
|
||||
location /static/ {
|
||||
alias /path/to/LOGIS/staticfiles/;
|
||||
expires 30d;
|
||||
add_header Cache-Control "public, immutable";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Fichiers médias (photos uploadées)
|
||||
location /media/ {
|
||||
alias /path/to/LOGIS/media/;
|
||||
expires 7d;
|
||||
add_header Cache-Control "public";
|
||||
access_log off;
|
||||
}
|
||||
|
||||
# Scans automatiques — drop silencieux (pas de réponse)
|
||||
location ~* \.(php|asp|aspx|jsp|cgi|pl|sh|bash|env|git|svn|htaccess)$ {
|
||||
return 444;
|
||||
}
|
||||
location ~* ^/(cgi-bin|vendor|phpunit|Autodiscover|autodiscover|wp-admin|wp-login|phpmyadmin|admin\.php|xmlrpc\.php|shell|config|\.well-known/(?!acme)) {
|
||||
return 444;
|
||||
}
|
||||
|
||||
# Rate-limit sur l'endpoint de contact (fr + en)
|
||||
location ~* ^/(en/)?contact/ {
|
||||
limit_req zone=contact burst=5 nodelay;
|
||||
proxy_pass http://127.0.0.1:8091;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
|
||||
# Proxy vers Gunicorn (port 8091)
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8091;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_read_timeout 120s;
|
||||
proxy_buffering on;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user