Support/runtipi-appstore
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(nginx): add hardened nginx app with security improvements
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
- Rate limiting (10 req/s per IP, burst 20)
- Modern security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)
- Request body size limits (50m)
- Fixed header inheritance bug in static files location block
- Removed unused form fields (NGINX_INTERNAL_PORT, NGINX_ENABLE_ACCESS_LOG)
- SSL handled by Runtipi reverse proxy

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Gui-Gos
2026-02-12 11:00:24 +01:00
parent 698bccf49d
commit 430f6e2baa
10 changed files with 422 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
apps/nginx/data/conf.d/default.conf Normal file
View File

@@ -0,0 +1,42 @@
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
root /usr/share/nginx/html;
index index.html index.htm;
# Headers de securite
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# Rate limiting (burst de 20 requetes autorise)
limit_req zone=general burst=20 nodelay;
location / {
try_files $uri $uri/ =404;
}
# Desactiver l'acces aux fichiers caches
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
# Cache pour les fichiers statiques
# Note: on utilise uniquement "expires" ici pour ne pas ecraser
# les headers de securite du bloc server (comportement add_header de nginx)
location ~* \.(jpg|jpeg|png|gif|ico|css|js|pdf|txt|woff|woff2|ttf|svg)$ {
expires 7d;
}
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

110
apps/nginx/data/html/index.html Normal file
View File

@@ -0,0 +1,110 @@
<!DOCTYPE html>
<html lang="fr">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Nginx Custom - Runtipi</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif;
background: linear-gradient(135deg, #1a1a2e 0%, #16213e 100%);
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
color: #e4e4e7;
}
.container {
text-align: center;
padding: 2rem;
max-width: 600px;
}
.logo {
font-size: 4rem;
margin-bottom: 1rem;
}
h1 {
font-size: 2.5rem;
margin-bottom: 0.5rem;
background: linear-gradient(90deg, #4ade80, #22d3ee);
-webkit-background-clip: text;
-webkit-text-fill-color: transparent;
}
.subtitle {
color: #a1a1aa;
margin-bottom: 2rem;
}
.card {
background: rgba(255, 255, 255, 0.05);
border: 1px solid rgba(255, 255, 255, 0.1);
border-radius: 12px;
padding: 1.5rem;
margin-bottom: 1rem;
text-align: left;
}
.card h3 {
color: #4ade80;
margin-bottom: 0.5rem;
}
.card code {
background: rgba(0, 0, 0, 0.3);
padding: 0.2rem 0.5rem;
border-radius: 4px;
font-size: 0.9rem;
}
.paths {
margin-top: 1rem;
font-size: 0.9rem;
}
.paths li {
list-style: none;
padding: 0.3rem 0;
border-bottom: 1px solid rgba(255, 255, 255, 0.05);
}
.paths li:last-child {
border-bottom: none;
}
.badge {
display: inline-block;
background: #22d3ee;
color: #1a1a2e;
padding: 0.2rem 0.6rem;
border-radius: 20px;
font-size: 0.75rem;
font-weight: 600;
margin-left: 0.5rem;
}
</style>
</head>
<body>
<div class="container">
<div class="logo">🚀</div>
<h1>Nginx Custom</h1>
<p class="subtitle">Votre serveur Nginx est opérationnel !</p>
<div class="card">
<h3>📁 Emplacements des fichiers</h3>
<ul class="paths">
<li><code>/etc/nginx/conf.d/</code> - Configurations des sites</li>
<li><code>/var/www/</code> - Contenu de vos sites</li>
<li><code>/usr/share/nginx/html/</code> - Dossier HTML par défaut</li>
<li><code>/var/log/nginx/</code> - Logs</li>
</ul>
</div>
<div class="card">
<h3>🛠️ Prochaines étapes</h3>
<p>Remplacez cette page par votre propre contenu dans le dossier <code>app-data</code> de Runtipi.</p>
</div>
<p style="margin-top: 2rem; color: #71717a; font-size: 0.85rem;">
Nginx <span class="badge">latest</span> • Runtipi App
</p>
</div>
</body>
</html>

0
apps/nginx/data/logs/.gitkeep Normal file
View File

46
apps/nginx/data/nginx.conf Normal file
View File

@@ -0,0 +1,46 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# Limiter la taille des requetes
client_max_body_size 50m;
client_body_buffer_size 16k;
# Rate limiting (10 req/s par IP)
limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
limit_req_status 429;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
# Securite de base
server_tokens off;
# Inclure les configurations des sites
include /etc/nginx/conf.d/*.conf;
}

0
apps/nginx/data/ssl/.gitkeep Normal file
View File

0
apps/nginx/data/www/.gitkeep Normal file
View File