diff --git a/docker/web/Dockerfile b/docker/web/Dockerfile index d6eac3e..9e620af 100644 --- a/docker/web/Dockerfile +++ b/docker/web/Dockerfile @@ -1,3 +1,3 @@ -FROM nginx +FROM nginx:alpine COPY nginx.conf /etc/nginx/nginx.conf diff --git a/docker/web/nginx.conf b/docker/web/nginx.conf index 86aa17b..e7e3da4 100644 --- a/docker/web/nginx.conf +++ b/docker/web/nginx.conf @@ -1,4 +1,3 @@ -user www-data; worker_processes 1; error_log /var/log/nginx/error.log warn; @@ -25,6 +24,11 @@ keepalive_timeout 65; + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.16.0.0/12; + set_real_ip_from 192.168.0.0/16; + real_ip_header X-Real-IP; + #gzip on; upstream php-handler { @@ -51,14 +55,7 @@ add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; add_header Referrer-Policy no-referrer; - - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - # Remove X-Powered-By, which is an information leak - fastcgi_hide_header X-Powered-By; - - # Path to the root of your installation root /var/www/html; location = /robots.txt { @@ -67,6 +64,9 @@ access_log off; } + # Remove X-Powered-By, which is an information leak + fastcgi_hide_header X-Powered-By; + # The following 2 rules are only needed for the user_webfinger app. # Uncomment it if you're planning to use this app. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last; @@ -97,7 +97,7 @@ #pagespeed off; location / { - rewrite ^ /index.php$uri; + rewrite ^ /index.php$request_uri; } location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { @@ -129,7 +129,7 @@ # Adding the cache control header for js and css files # Make sure it is BELOW the PHP block location ~ \.(?:css|js|woff|svg|gif)$ { - try_files $uri /index.php$uri$is_args$args; + try_files $uri /index.php$request_uri; add_header Cache-Control "public, max-age=15778463"; # Add headers to serve security related headers (It is intended to # have those duplicated to the ones above) @@ -155,7 +155,7 @@ } location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ { - try_files $uri /index.php$uri$is_args$args; + try_files $uri /index.php$request_uri; # Optional: Don't log access to other assets access_log off; }