diff --git a/iiko-app.dev.xserver.su.nginx.conf b/iiko-app.dev.xserver.su.nginx.conf new file mode 100644 index 0000000..65b7f90 --- /dev/null +++ b/iiko-app.dev.xserver.su.nginx.conf @@ -0,0 +1,59 @@ +server { + server_name iiko-app.dev.xserver.su; + + # HSTS (защита от понижения HTTPS) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Защитные заголовки + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options DENY; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy strict-origin-when-cross-origin; + + location / { + allow 80.68.9.83; + allow 185.51.125.202; + + # Локальные сети + allow 192.168.0.0/16; # 192.168.0.0 - 192.168.255.255 + allow 10.0.0.0/8; # 10.0.0.0 - 10.255.255.255 + allow 172.16.0.0/12; # 172.16.0.0 - 172.31.255.255 + + allow fd00::/8; # IPv6 ULA (аналог приватных IPv4) + allow fe80::/10; # IPv6 link-local + + # Localhost + allow 127.0.0.0/8; # 127.0.0.0 - 127.255.255.255 + allow ::1; # IPv6 localhost + + # Docker сети (если используете) + allow 172.17.0.0/16; + allow 172.18.0.0/16; + + deny all; + + proxy_pass http://127.0.0.1:9099; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection keep-alive; + proxy_set_header Host $host; + proxy_cache_bypass $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + + listen 443 ssl; + ssl_certificate /etc/letsencrypt/live/iiko-app.dev.xserver.su/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/iiko-app.dev.xserver.su/privkey.pem; + include /etc/letsencrypt/options-ssl-nginx.conf; + ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; +} + +server { + if ($host = iiko-app.dev.xserver.su) { + return 301 https://$host$request_uri; + } + listen 80; + server_name iiko-app.dev.xserver.su; + return 404; +}