documentation/nginx-runtime.conf at main · paxapos/documentation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
server {
    listen 8080;

    # Multi-dominio: acepta cualquier host (white-labeling via variables de entorno)
    server_name _;

    root /usr/share/nginx/html;
    index index.html;

    # Charset y tokens
    charset utf-8;
    server_tokens off;

    # ─── Variables de entorno (usadas por sub_filter) ─────────
    set $brand_name "${BRAND_NAME}";
    set $system_url "${SYSTEM_URL}";
    set $company_name "${COMPANY_NAME}";

    # ─── Compresión gzip ──────────────────────────────────────
    gzip on;
    gzip_vary on;
    gzip_min_length 1024;
    gzip_comp_level 6;
    gzip_types
        text/plain
        text/css
        text/xml
        text/javascript
        application/javascript
        application/xml+rss
        application/json
        application/manifest+json
        image/svg+xml;

    # ─── Headers de seguridad (global) ────────────────────────
    # CSP: script-src 'self' permite solo scripts propios.
    # style-src necesita 'unsafe-inline' porque SvelteKit genera estilos inline.
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "0" always;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'self'" always;

    # ─── config.js — sub_filter para white-labeling ───────────
    location = /config.js {
        if ($brand_name = "") {
            return 503 "ERROR: BRAND_NAME no configurada";
        }
        if ($system_url = "") {
            return 503 "ERROR: SYSTEM_URL no configurada";
        }

        # Sin cache para que sub_filter funcione siempre
        add_header Cache-Control "no-store, no-cache, must-revalidate";
        add_header Pragma "no-cache";
        expires -1;

        sub_filter_once off;
        sub_filter_types application/javascript;
        sub_filter '{{BRAND_NAME}}' '$brand_name';
        sub_filter '{{SYSTEM_URL}}' '$system_url';
        sub_filter '{{COMPANY_NAME}}' '$company_name';
    }

    # ─── SPA fallback ─────────────────────────────────────────
    location / {
        try_files $uri $uri/ $uri.html /index.html;
    }

    # ─── Cache de assets estáticos (1 año, inmutable) ─────────
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
        access_log off;
    }

    # ─── Health check ─────────────────────────────────────────
    location /health {
        access_log off;
        return 200 "healthy\n";
        add_header Content-Type text/plain;
    }

    # ─── Bloqueo de archivos sensibles ────────────────────────
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # ─── Logging ──────────────────────────────────────────────
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    # ─── Error pages ──────────────────────────────────────────
    error_page 404 /index.html;
    error_page 500 502 503 504 /index.html;
}