91 lines
3.2 KiB
Plaintext
91 lines
3.2 KiB
Plaintext
# Configuration nginx pour LOGIS
|
|
# Copier dans : /etc/nginx/sites-available/logis
|
|
# Puis : ln -s /etc/nginx/sites-available/logis /etc/nginx/sites-enabled/
|
|
# SSL fourni par : certbot --nginx -d your-domain.com
|
|
|
|
# Rate-limit sur le formulaire de contact : 10 requêtes/min par IP
|
|
limit_req_zone $binary_remote_addr zone=contact:10m rate=10r/m;
|
|
|
|
# Redirection HTTP → HTTPS
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name your-domain.com;
|
|
|
|
location /.well-known/acme-challenge/ {
|
|
root /var/www/html;
|
|
}
|
|
|
|
location / {
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
}
|
|
|
|
# Serveur HTTPS principal
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
server_name your-domain.com;
|
|
|
|
# Certificats SSL (générés par certbot)
|
|
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
|
|
include /etc/letsencrypt/options-ssl-nginx.conf;
|
|
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
|
|
|
|
# Sécurité des en-têtes
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-Frame-Options DENY always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# Taille max des uploads (photos haute résolution)
|
|
client_max_body_size 25M;
|
|
|
|
# Fichiers statiques servis directement par nginx
|
|
location /static/ {
|
|
alias /path/to/LOGIS/staticfiles/;
|
|
expires 30d;
|
|
add_header Cache-Control "public, immutable";
|
|
access_log off;
|
|
}
|
|
|
|
# Fichiers médias (photos uploadées)
|
|
location /media/ {
|
|
alias /path/to/LOGIS/media/;
|
|
expires 7d;
|
|
add_header Cache-Control "public";
|
|
access_log off;
|
|
}
|
|
|
|
# Scans automatiques — drop silencieux (pas de réponse)
|
|
location ~* \.(php|asp|aspx|jsp|cgi|pl|sh|bash|env|git|svn|htaccess)$ {
|
|
return 444;
|
|
}
|
|
location ~* ^/(cgi-bin|vendor|phpunit|Autodiscover|autodiscover|wp-admin|wp-login|phpmyadmin|admin\.php|xmlrpc\.php|shell|config|\.well-known/(?!acme)) {
|
|
return 444;
|
|
}
|
|
|
|
# Rate-limit sur l'endpoint de contact (fr + en)
|
|
location ~* ^/(en/)?contact/ {
|
|
limit_req zone=contact burst=5 nodelay;
|
|
proxy_pass http://127.0.0.1:8091;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
|
|
# Proxy vers Gunicorn (port 8091)
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8091;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_read_timeout 120s;
|
|
proxy_buffering on;
|
|
}
|
|
}
|