-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathnginx.conf
More file actions
45 lines (38 loc) · 1.1 KB
/
Copy pathnginx.conf
File metadata and controls
45 lines (38 loc) · 1.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
server {
listen 80;
server_tokens off; # Hide Nginx version
# Serve Static Assets
location / {
root /usr/share/nginx/html;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
# Proxy API requests to backend
location /api/ {
proxy_pass http://rf-engine:5001/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# --- Security Hardening ---
# Block access to hidden files (except .well-known)
location ~ /\.(?!well-known) {
access_log off;
return 444;
}
# Block PHP requests (we are not a PHP app)
location ~ \.php$ {
access_log off;
return 444;
}
# Block common malicious paths (WordPress, etc.)
location ~ ^/(admin|wp-admin|wordpress|wp-content|cgi-bin|\.env|\.git) {
access_log off;
return 444;
}
# Block sensitive file extensions
location ~ \.(env|config|bak|sql|ini|log|sh|inc|swp|dist)$ {
access_log off;
return 444;
}
}