security stuff

conf.d/pif-elog.conf

@@ -7,12 +7,19 @@ server {
 server {
     listen 443 ssl;
     server_name pif-elog.psi.ch;
+    
+    client_max_body_size 64M;
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
 
     ssl_certificate /etc/nginx/certs/pif-elog.psi.ch.crt;
     ssl_certificate_key /etc/nginx/private/pif-elog.psi.ch.key;
 
     location / {
-        proxy_pass http://pif-elog:8080;
+        proxy_pass https://pif-elog:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

nginx.conf

@@ -12,11 +12,18 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS
+    add_header Referrer-Policy no-referrer-when-downgrade;  # Referrer policy
+
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     access_log  /var/log/nginx/access.log  main;
+
     sendfile        on;
     keepalive_timeout  65;
     include /etc/nginx/conf.d/*.conf;