mirror of
https://github.com/seanmorley15/AdventureLog.git
synced 2025-07-18 20:39:36 +02:00
42 lines
No EOL
1.7 KiB
Nginx Configuration File
42 lines
No EOL
1.7 KiB
Nginx Configuration File
worker_processes 1;
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
client_max_body_size 100M;
|
|
# The backend is running in the same container, so reference localhost
|
|
upstream django {
|
|
server 127.0.0.1:8000; # Use localhost to point to Gunicorn running internally
|
|
}
|
|
server {
|
|
listen 80;
|
|
server_name localhost;
|
|
location / {
|
|
proxy_pass http://django; # Forward to the upstream block
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
location /static/ {
|
|
alias /code/staticfiles/; # Serve static files directly
|
|
}
|
|
# Serve protected media files with X-Accel-Redirect
|
|
location /protectedMedia/ {
|
|
internal; # Only internal requests are allowed
|
|
alias /code/media/; # This should match Django MEDIA_ROOT
|
|
try_files $uri =404; # Return a 404 if the file doesn't exist
|
|
|
|
# Security headers for all protected files
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'none'; object-src 'none'; base-uri 'none'" always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-Frame-Options SAMEORIGIN always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
}
|
|
}
|
|
} |