From 07685910772442376bc16b092c1ab9e72d94fc9c Mon Sep 17 00:00:00 2001
From: Basil Bruhn <basil.bruhn@psi.ch>
Date: Tue, 5 Nov 2024 14:22:23 +0100
Subject: [PATCH] security stuff

---
 conf.d/pif-elog.conf | 9 ++++++++-
 nginx.conf           | 7 +++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/conf.d/pif-elog.conf b/conf.d/pif-elog.conf
index 7e34588..e84b6e5 100644
--- a/conf.d/pif-elog.conf
+++ b/conf.d/pif-elog.conf
@@ -7,12 +7,19 @@ server {
 server {
     listen 443 ssl;
     server_name pif-elog.psi.ch;
+    
+    client_max_body_size 64M;
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
 
     ssl_certificate /etc/nginx/certs/pif-elog.psi.ch.crt;
     ssl_certificate_key /etc/nginx/private/pif-elog.psi.ch.key;
 
     location / {
-        proxy_pass http://pif-elog:8080;
+        proxy_pass https://pif-elog:8080;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/nginx.conf b/nginx.conf
index b6beae7..0ec6276 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -12,11 +12,18 @@ http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;
 
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # HSTS
+    add_header Referrer-Policy no-referrer-when-downgrade;  # Referrer policy
+
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
     access_log  /var/log/nginx/access.log  main;
+
     sendfile        on;
     keepalive_timeout  65;
     include /etc/nginx/conf.d/*.conf;