-
Notifications
You must be signed in to change notification settings - Fork 155
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bafc5ec
commit 67c6397
Showing
2 changed files
with
75 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
server { | ||
listen 8989; | ||
server_name localhost; | ||
|
||
server_tokens off; | ||
|
||
include /usr/share/odk/nginx/common-headers.conf; | ||
|
||
client_max_body_size 100m; | ||
|
||
gzip on; | ||
gzip_vary on; | ||
gzip_min_length 1280; | ||
gzip_http_version 1.1; | ||
gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv; | ||
|
||
location /- { | ||
proxy_pass http://localhost:8005; | ||
proxy_redirect off; | ||
proxy_set_header Host $host; | ||
|
||
# More lax CSP for enketo-express: | ||
# Google Maps API: https://developers.google.com/maps/documentation/javascript/content-security-policy | ||
add_header Content-Security-Policy-Report-Only "default-src 'none'; connect-src 'self' blob: https://maps.googleapis.com/maps/ https://maps.google.com/ https://maps.gstatic.com/mapfiles/ https://fonts.gstatic.com/ https://fonts.googleapis.com/; font-src 'self' https://fonts.gstatic.com/; frame-src 'none'; img-src data: blob: jr: 'self' https://maps.google.com/maps/ https://maps.gstatic.com/mapfiles/ https://maps.googleapis.com/maps/; manifest-src 'none'; media-src blob: jr: 'self'; object-src 'none'; script-src 'unsafe-inline' 'self' https://maps.googleapis.com/maps/api/js/ https://maps.google.com/maps/ https://maps.google.com/maps-api-v3/api/js/; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css; style-src-attr 'none'; report-uri /csp-report"; | ||
# | ||
# Rules set to 'none' here would fallback to default-src if excluded. | ||
# They are included here to ease interpretation of violation reports. | ||
# | ||
# Other security headers are identical to those in common-headers.conf; | ||
# We can't just include that file here though, as it will set two Content-Security-Policy* headers | ||
add_header Referrer-Policy same-origin; | ||
add_header Strict-Transport-Security "max-age=63072000" always; | ||
add_header X-Frame-Options "SAMEORIGIN"; | ||
add_header X-Content-Type-Options nosniff; | ||
} | ||
|
||
location ~ ^/v\d { | ||
proxy_set_header X-Forwarded-Proto https; | ||
proxy_pass http://localhost:8383; | ||
proxy_redirect off; | ||
|
||
# buffer requests, but not responses, so streaming out works. | ||
proxy_request_buffering on; | ||
proxy_buffering off; | ||
proxy_read_timeout 2m; | ||
} | ||
|
||
location / { | ||
root /usr/share/nginx/html; | ||
|
||
location /version.txt { | ||
include /usr/share/odk/nginx/common-headers.conf; | ||
add_header Cache-Control no-cache; | ||
} | ||
location /index.html { | ||
include /usr/share/odk/nginx/common-headers.conf; | ||
add_header Cache-Control no-cache; | ||
} | ||
} | ||
|
||
location /csp-report { | ||
proxy_pass https://${SENTRY_ORG_SUBDOMAIN}.ingest.sentry.io/api/${SENTRY_PROJECT}/security/?sentry_key=${SENTRY_KEY}; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters