feat(nginx): add hardened nginx app with security improvements

- Rate limiting (10 req/s per IP, burst 20) - Modern security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) - Request body size limits (50m) - Fixed header inheritance bug in static files location block - Removed unused form fields (NGINX_INTERNAL_PORT, NGINX_ENABLE_ACCESS_LOG) - SSL handled by Runtipi reverse proxy Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 11:00:24 +01:00
parent 698bccf49d
commit 430f6e2baa
10 changed files with 422 additions and 0 deletions
--- a/apps/nginx/data/nginx.conf
+++ b/apps/nginx/data/nginx.conf
@@ -0,0 +1,46 @@
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    tcp_nopush      on;
+    tcp_nodelay     on;
+
+    keepalive_timeout  65;
+
+    # Limiter la taille des requetes
+    client_max_body_size 50m;
+    client_body_buffer_size 16k;
+
+    # Rate limiting (10 req/s par IP)
+    limit_req_zone $binary_remote_addr zone=general:10m rate=10r/s;
+    limit_req_status 429;
+
+    gzip  on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
+
+    # Securite de base
+    server_tokens off;
+
+    # Inclure les configurations des sites
+    include /etc/nginx/conf.d/*.conf;
+}