bunker-admin
c192c04c79
Addresses data exposure, access control, input validation, infrastructure hardening, and supply chain security issues identified during audit. Key changes: - Strip internal fields from public campaign/profile/comment endpoints - Restrict docs routes to CONTENT_ROLES, provisioning to SUPER_ADMIN - Add SSE connection limits, social middleware fail-closed behavior - Bind all non-nginx ports to 127.0.0.1, pin container image versions - Add CSP header, conditional HSTS, token redaction in nginx logs - Validate nav URLs, calendar schemas, video tracking batch events - Reject default admin password placeholder, add SSRF protocol checks - Exclude .env from Code Server, enforce RC admin password in compose - Add Zod validation for achievement grant/revoke, webhook secret header - Fix path traversal prefix attack, add calendar token expiry Bunker Admin
61 lines
2.1 KiB
Nginx Configuration File
61 lines
2.1 KiB
Nginx Configuration File
worker_processes auto;
|
|
error_log /var/log/nginx/error.log warn;
|
|
pid /var/run/nginx.pid;
|
|
|
|
events {
|
|
worker_connections 1024;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# Redact sensitive query parameters (token, secret) from access logs
|
|
map $request_uri $redacted_request {
|
|
~^(?P<path>[^?]*)\?(?P<args>.*token=[^&]*) "$path?<token-redacted>";
|
|
~^(?P<path>[^?]*)\?(?P<args>.*secret=[^&]*) "$path?<secret-redacted>";
|
|
default $request_uri;
|
|
}
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request_method $redacted_request $server_protocol" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
server_tokens off;
|
|
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
keepalive_timeout 65;
|
|
types_hash_max_size 2048;
|
|
client_max_body_size 50m;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
|
|
|
|
# Only send HSTS when the request arrived over HTTPS (via Pangolin tunnel)
|
|
map $http_x_forwarded_proto $hsts_header {
|
|
https "max-age=31536000; includeSubDomains";
|
|
default "";
|
|
}
|
|
|
|
# Security headers (applied globally — X-Frame-Options set per server block)
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header Strict-Transport-Security $hsts_header always;
|
|
add_header Permissions-Policy "geolocation=(self), microphone=(), camera=()" always;
|
|
|
|
# Docker internal DNS — enables runtime resolution so nginx starts
|
|
# even when optional services are not running
|
|
resolver 127.0.0.11 valid=30s;
|
|
|
|
include /etc/nginx/conf.d/*.conf;
|
|
}
|