# Configuration nginx pour LOGIS # Copier dans : /etc/nginx/sites-available/logis # Puis : ln -s /etc/nginx/sites-available/logis /etc/nginx/sites-enabled/ # SSL fourni par : certbot --nginx -d your-domain.com # Rate-limit sur le formulaire de contact : 10 requêtes/min par IP limit_req_zone $binary_remote_addr zone=contact:10m rate=10r/m; # Redirection HTTP → HTTPS server { listen 80; listen [::]:80; server_name your-domain.com; location /.well-known/acme-challenge/ { root /var/www/html; } location / { return 301 https://$host$request_uri; } } # Serveur HTTPS principal server { listen 443 ssl; listen [::]:443 ssl; server_name your-domain.com; # Certificats SSL (générés par certbot) ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # Sécurité des en-têtes add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options DENY always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Taille max des uploads (photos haute résolution) client_max_body_size 25M; # Fichiers statiques servis directement par nginx location /static/ { alias /path/to/LOGIS/staticfiles/; expires 30d; add_header Cache-Control "public, immutable"; access_log off; } # Fichiers médias (photos uploadées) location /media/ { alias /path/to/LOGIS/media/; expires 7d; add_header Cache-Control "public"; access_log off; } # Scans automatiques — drop silencieux (pas de réponse) location ~* \.(php|asp|aspx|jsp|cgi|pl|sh|bash|env|git|svn|htaccess)$ { return 444; } location ~* ^/(cgi-bin|vendor|phpunit|Autodiscover|autodiscover|wp-admin|wp-login|phpmyadmin|admin\.php|xmlrpc\.php|shell|config|\.well-known/(?!acme)) { return 444; } # Rate-limit sur l'endpoint de contact (fr + en) location ~* ^/(en/)?contact/ { limit_req zone=contact burst=5 nodelay; proxy_pass http://127.0.0.1:8091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } # Proxy vers Gunicorn (port 8091) location / { proxy_pass http://127.0.0.1:8091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 120s; proxy_buffering on; } }