Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hot fix nginx push state routing #2063

Merged
merged 2 commits into from
Apr 21, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 0 additions & 92 deletions includes/cache.conf

This file was deleted.

15 changes: 15 additions & 0 deletions includes/security.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
## Security
## Always HTTPS
add_header Strict-Transport-Security "max-age=31449600; includeSubDomains" always; # 1 year
## Don't open in Iframe
add_header X-Frame-Options "DENY" always;
## No content type autodiscovery
add_header X-Content-Type-Options "nosniff" always;
## Don't disclose full url when navigating to links
add_header Referrer-Policy "strict-origin" always;
## New Header for features
## https://www.w3.org/TR/permissions-policy-1/
add_header Permissions-Policy "microphone=(); geolocation=(self); camera=()" always;
## CSP
## TODO: WHEN GOING PROD CHANGE TO Content-Security-Policy
add_header Content-Security-Policy-Report-Only "default-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' fonts.googleapis.com *.fontawesome.com; font-src fonts.gstatic.com *.fontawesome.com; script-src 'self'; script-src-elem 'self'; base-uri 'self'; img-src https://* 'self' data:; trusted-types angular; require-trusted-types-for 'script'" always;
68 changes: 56 additions & 12 deletions nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -77,26 +77,32 @@ http {
# Directory where static files are located
root {{ env "APP_ROOT" }}/dist/out-of-school;

location / {
# If HTTP request is made, redirect to HTTPS requests
set $updated_host $host;
if ($http_x_forwarded_host != "") {
set $updated_host $http_x_forwarded_host;
}
# If HTTP request is made, redirect to HTTPS requests
set $updated_host $host;
if ($http_x_forwarded_host != "") {
set $updated_host $http_x_forwarded_host;
}

if ($http_x_forwarded_proto != "https") {
return 301 https://$updated_host$request_uri;
}
if ($http_x_forwarded_proto != "https") {
return 301 https://$updated_host$request_uri;
}

location / {
# Send the content at / in response to *any* requested endpoint
if (!-e $request_filename) {
rewrite ^(.*)$ / break;
}

# Specify files sent to client if specific file not requested (e.g.
# GET www.example.com/). NGINX sends first existing file in the list.
index index.html index.htm Default.htm;
index index.html;

add_header Cache-Control "no-store, no-cache, public, must-revalidate, proxy-revalidate, max-age=0";
add_header Pragma "no-cache";
etag off;
if_modified_since off;
expires -1;

include {{ env "APP_ROOT" }}/includes/*.conf;
include {{ env "APP_ROOT" }}/includes/security.conf;
}

# (Security) Don't serve dotfiles, except .well-known/, which is needed by
Expand All @@ -105,5 +111,43 @@ http {
deny all;
return 404;
}

location ~* \.(?:json)$ {
add_header Cache-Control "no-store, no-cache, public, must-revalidate, proxy-revalidate, max-age=0";
add_header Pragma "no-cache";
etag off;
if_modified_since off;
expires -1;

include {{ env "APP_ROOT" }}/includes/security.conf;
}

location ~* \.(?:css|js)$ {
add_header Cache-Control "public, max-age=2628000"; # 1 month

include {{ env "APP_ROOT" }}/includes/security.conf;
}

location ~* \.(?:jpg|jpeg|gif|png|ico|xml|webp|svg)$ {
add_header Cache-Control "public, max-age=86400"; # 1 day

include {{ env "APP_ROOT" }}/includes/security.conf;
}

location ~* \.(?:eot|woff|woff2|ttf|otf) {
add_header Cache-Control "public, max-age=2628000"; # 1 month

# TODO: Allow CORS requests for fonts?
add_header Access-Control-Allow-Origin *;

types {font/opentype otf;}
types {application/vnd.ms-fontobject eot;}
types {font/truetype ttf;}
types {application/font-woff woff;}
types {font/x-woff woff2;}
types {image/svg+xml svg svgz;}

include {{ env "APP_ROOT" }}/includes/security.conf;
}
}
}