# read more here http://tautt.com/best-nginx-configuration-for-security/ # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options #add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 #add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers #add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; ## rate limiter for certain pages to prevent brute force attacks limit_req_zone $binary_remote_addr zone=http_req_limit:10m rate=1r/s; ## custom log format log_format http_log_custom '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $request_time $upstream_response_time $pipe'; log_format json_log_custom escape=json '{' '"source":"nginx",' '"remote_user":"$remote_user",' '"time_local":"$time_local",' '"remote_addr":"$remote_addr",' '"proxy_x_forwarded_for":"$proxy_add_x_forwarded_for",' '"request":"$request",' '"status": "$status",' '"request_method": "$request_method",' '"body_bytes_sent":"$body_bytes_sent",' '"request_time":"$request_time",' '"upstream_response_time":"$upstream_response_time",' '"http_referrer":"$http_referer",' '"http_user_agent":"$http_user_agent"' '}'; server { listen 80 default; # ensure we get the proper Docker DNS resolver for load balancing. resolver 127.0.0.11 ipv6=off; server_name localhost 127.0.0.1; access_log /dev/stdout json_log_custom; error_log /dev/stdout; # uncomment to redirect http traffic to https (not applicable in Docker setup) #return 301 https://$host$request_uri; client_body_buffer_size 128k; # maximum number and size of buffers for large headers to read from client request large_client_header_buffers 16 256k; ## serve static files by nginx, recommended location /_static/rhodecode { gzip on; gzip_min_length 500; gzip_proxied any; gzip_comp_level 4; gzip_types text/css text/javascript text/xml text/plain text/x-component application/javascript application/json application/xml application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml; gzip_vary on; gzip_disable "msie6"; expires 60d; alias /var/opt/rhodecode_data/static; } ## channelstream location handler, if channelstream live chat and notifications ## are enable this will proxy the requests to channelstream websocket server location /_channelstream { rewrite /_channelstream/(.*) /$1 break; gzip off; tcp_nodelay off; proxy_connect_timeout 10; proxy_send_timeout 10m; proxy_read_timeout 10m; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Url-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; set $upstream_channelstream http://channelstream:8000; proxy_pass $upstream_channelstream; } # ## rate limit this endpoint to prevent login page brute-force attacks # location /_admin/login { # limit_req zone=http_req_limit burst=10 nodelay; # try_files $uri @rhodecode_http; # } location / { include /etc/nginx/proxy.conf; try_files $uri @rhodecode_http; } location @rhodecode_http { set $upstream http://rhodecode:10020; include /etc/nginx/proxy.conf; proxy_pass $upstream; } ## Custom 502 error page. ## Will be displayed while RhodeCode server is turned off error_page 502 /502.html; location = /502.html { root /var/opt/rhodecode_data/static; internal; } }