ssl ready configuration

chenkianwee · May 25, 2023 · f3ff45c · f3ff45c
1 parent dccb260
commit f3ff45c
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/nginx/security_header.conf b/nginx/security_header.conf
@@ -0,0 +1,8 @@
+# Security headers
+add_header Strict-Transport-Security "max-age=300;" always;
+# add_header Strict-Transport-Security "max-age=300; includeSubDomains; preload";
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+# add_header Content-Security-Policy "default-src 'self';";
+add_header X-XSS-Protection "1; mode=block";
+add_header Referrer-Policy "origin";
diff --git a/nginx/yun2inf.conf b/nginx/yun2inf.conf
@@ -1,3 +1,4 @@
+#server_tokens   off;
 map $http_upgrade $connection_upgrade {
   default upgrade;
   '' close;
@@ -16,6 +17,8 @@ server {
     location / {
         proxy_pass		   http://yun2inf_proj:8000;
         proxy_set_header   HOST $host;
+        #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+        #proxy_set_header   X-Forwarded-Proto $scheme;
     }
 
     location /static {
@@ -29,14 +32,15 @@ server {
     proxy_read_timeout  240;
 
     proxy_set_header   Host $host;
-    #proxy_set_header   X-Real-IP $remote_addr;
     #proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
     #proxy_set_header   X-Forwarded-Proto $scheme;
     }
 
     location /grafana/ {
 	proxy_set_header Host $http_host;
 	proxy_pass http://grafana/;
+	#proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    #proxy_set_header   X-Forwarded-Proto $scheme;
     }
 
     # Proxy Grafana Live WebSocket connections.

diff --git a/shellscript/setup_yun2inf.sh b/shellscript/setup_yun2inf.sh
@@ -97,7 +97,8 @@ echo '--------------------------------'
 #=======================================================================
 # CONFIGURE THE REVERSE PROXY OF NGINX
 #=======================================================================
-echo "map \$http_upgrade \$connection_upgrade {
+echo "#server_tokens   off;
+map \$http_upgrade \$connection_upgrade {
   default upgrade;
   '' close;
 }
@@ -115,6 +116,8 @@ server {
     location / {
         proxy_pass		   http://$CONTAINERNAME4:8000;
         proxy_set_header   HOST \$host;
+        #proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+        #proxy_set_header   X-Forwarded-Proto \$scheme;
     }
     
     location /static {
@@ -128,14 +131,15 @@ server {
     proxy_read_timeout  240;
 
     proxy_set_header   Host \$host;
-    #proxy_set_header   X-Real-IP \$remote_addr;
     #proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
     #proxy_set_header   X-Forwarded-Proto \$scheme;
     }
     
     location /grafana/ {
 	proxy_set_header Host \$http_host;
 	proxy_pass http://grafana/;
+	#proxy_set_header   X-Forwarded-For \$proxy_add_x_forwarded_for;
+    #proxy_set_header   X-Forwarded-Proto \$scheme;
     }
     
     # Proxy Grafana Live WebSocket connections.
@@ -257,6 +261,7 @@ docker run -d --name "$CONTAINERNAME5"\
     nginx:1.24-alpine3.17-slim
 
 docker cp yun2inf.conf "$CONTAINERNAME5":/etc/nginx/conf.d/nginx.conf
+docker cp ../nginx/security_header.conf "$CONTAINERNAME5":/etc/nginx/security_header.conf
 docker exec -it "$CONTAINERNAME5" rm /etc/nginx/conf.d/default.conf
 docker restart "$CONTAINERNAME5"
 mv yun2inf.conf ../nginx/yun2inf.conf