summaryrefslogtreecommitdiff
path: root/git.rulkc.org/nginx/beta.landau.one
diff options
context:
space:
mode:
Diffstat (limited to 'git.rulkc.org/nginx/beta.landau.one')
-rw-r--r--git.rulkc.org/nginx/beta.landau.one77
1 files changed, 77 insertions, 0 deletions
diff --git a/git.rulkc.org/nginx/beta.landau.one b/git.rulkc.org/nginx/beta.landau.one
new file mode 100644
index 0000000..714c75f
--- /dev/null
+++ b/git.rulkc.org/nginx/beta.landau.one
@@ -0,0 +1,77 @@
+server {
+ server_name beta.landau.one;
+ listen 443 ssl http2; # managed by Certbot
+
+ root /home/landaudeploy/landau_suite/deploy/public;
+ disable_symlinks off;
+ index index.html;
+
+ server_tokens off;
+ charset utf-8;
+
+ access_log /var/log/nginx/landau.one.beta.access.log;
+ error_log /var/log/nginx/landau.one.beta.error.log warn;
+
+ # Security headers
+ add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+ add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
+ # При необходимости: CSP. Начни с report-only, чтобы не сломать рендер.
+ # add_header Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'; script-src 'self'" always;
+
+ # Сжатие
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 6;
+ gzip_min_length 1024;
+ gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss image/svg+xml;
+ # Если сборка nginx с brotli — включи и его (brotli on; brotli_types ...)
+
+ location ~ ^/preview/([^/]+)/ {
+ alias /home/landaudeploy/landau_suite/deploy/$1/;
+ index index.html;
+ try_files $uri $uri/ =404;
+ }
+
+ # Чистые URL: /about -> /about.html
+ location / {
+ try_files $uri $uri/ $uri.html =404;
+ }
+
+ # Кеш для хешированных ассетов
+ location ~* \.(?:css|js|woff2?|ttf|otf|eot|svg|jpg|jpeg|png|gif|webp|avif|ico)$ {
+ expires 1m;
+ add_header Cache-Control "no-cache";
+ access_log off;
+ try_files $uri =404;
+ }
+
+ # HTML и корневые манифесты — всегда свежие
+ location ~* \.(?:html|xml|txt|json|webmanifest)$ {
+ expires -1;
+ add_header Cache-Control "no-cache";
+ }
+
+ # Запрет скрытых файлов
+ location ~ /\.(?!well-known) {
+ deny all;
+ access_log off;
+ log_not_found off;
+ }
+
+ ssl_certificate /etc/letsencrypt/live/git.rulkc.org/fullchain.pem; # managed by Certbot
+ ssl_certificate_key /etc/letsencrypt/live/git.rulkc.org/privkey.pem; # managed by Certbot
+ include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+ ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+}
+
+server {
+ if ($host = beta.landau.one) {
+ return 301 https://$host$request_uri;
+ } # managed by Certbot
+ listen 80;
+ server_name beta.landau.one;
+ return 404; # managed by Certbot
+}