diff --git a/conf/default.conf b/conf/default.conf index bc177e9..5584e6f 100644 --- a/conf/default.conf +++ b/conf/default.conf @@ -10,7 +10,7 @@ server { set $proxy_host theiaconf; set $proxy_port 3000; include ldap.conf; - #include secure.conf; + include secure.conf; include default_proxy.conf; } @@ -18,6 +18,7 @@ server { server { listen 443 ssl; include ssl.conf; + include secure.conf; include ldap.conf; } \ No newline at end of file diff --git a/nginx.conf b/nginx.conf index 3115c76..8b0b032 100644 --- a/nginx.conf +++ b/nginx.conf @@ -115,6 +115,21 @@ ldap_server fet { require valid_user; } resolver 127.0.0.11 valid=30s; # use the docker resolver as a default + + server { + listen 127.0.0.1:8999; + + # Increase the body buffer size, to ensure the internal POSTs can always + # parse the full POST contents into memory. + client_body_buffer_size 128k; + client_max_body_size 128k; + + location / { + content_by_lua_block { + auto_ssl:hook_server() + } + } + } include /etc/nginx/conf.d/*.conf; # Don't reveal OpenResty version to clients. diff --git a/snippets/proxy.conf b/snippets/proxy.conf index 722d6c5..d507b0f 100644 --- a/snippets/proxy.conf +++ b/snippets/proxy.conf @@ -7,10 +7,3 @@ proxy_set_header X-Forwarde-Proto $scheme; proxy_set_header X_FORWARDED_SSL on; proxy_set_header HTTP_X_FORWARDED_SSL on; - - - add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'"; - add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; - add_header Referrer-Policy "strict-origin"; - add_header Strict-Transport-Security "max-age=31536000" always; \ No newline at end of file diff --git a/snippets/secure.conf b/snippets/secure.conf index 65fffad..5e836c1 100644 --- a/snippets/secure.conf +++ b/snippets/secure.conf @@ -1,4 +1,4 @@ -include ssl.conf; + add_header Content-Security-Policy "default-src 'self' 'unsafe-inline'"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block";