update base

2024-09-18 00:27:00 +03:00 · 2024-09-18 00:27:00 +03:00 · 651d1cca05
parent 164197ec9c
commit 651d1cca05
6 changed files with 24 additions and 22 deletions
--- a/configuration/_includes.conf
+++ b/configuration/_includes.conf
--- a/configuration/cache.conf
+++ b/configuration/cache.conf
@ -1,12 +1,12 @@
-# proxy_cache all;
-# proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=all:20m max_size=4096m;
-# proxy_cache_key "$host$request_uri$cookie_user";
-# proxy_cache_valid 200 301 302 10m;
-# proxy_cache_valid 502 404 10s;
-# proxy_cache_lock on;
-# proxy_cache_lock_age 10s;
-# proxy_cache_lock_timeout 10s;
-# proxy_ignore_headers "Set-Cookie";
-# proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
-#proxy_cache_bypass 
-#proxy_no_cache
+proxy_cache all;
+proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=all:20m max_size=4096m;
+proxy_cache_key "$host$request_uri$cookie_user";
+proxy_cache_valid 200 301 302 10m;
+proxy_cache_valid 502 404 10s;
+proxy_cache_lock on;
+proxy_cache_lock_age 10s;
+proxy_cache_lock_timeout 10s;
+proxy_ignore_headers "Set-Cookie";
+proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
+proxy_cache_bypass 
+proxy_no_cache
--- a/configuration/security.conf
+++ b/configuration/security.conf
@ -5,6 +5,7 @@ add_header Content-Security-Policy   "default-src 'self' http: https: ws: wss: d
 add_header Permissions-Policy        "interest-cohort=()" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

+#Запрещает доступ ко всем скрытым каталогам и файлам, кроме well-known (Let's Encrypt)
 location ~ /\.(?!well-known) {
    deny all;
 }
--- a/sites-enabled/default.conf
+++ b/sites-enabled/default.conf
@ -1,15 +1,15 @@
 server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
-
+    server_name _;
+    
    ssl_certificate     /etc/nginx/ssl/live/softsols.ru/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/softsols.ru/privkey.pem;

    root /var/www/html;
+    index index.html index.htm;

-    index index.html index.htm index.nginx-debian.html;
-
-    server_name _;
+    include                 configuration/_includes.conf;

    location / {
        try_files $uri $uri/ =404;
--- a/sites-enabled/example.conf.tplm
+++ b/sites-enabled/example.conf.tplm
@ -11,7 +11,7 @@ server {
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    proxy_redirect off;
    set $proxy_value https://10.10.10.10:10;
@ -39,7 +39,7 @@ server {
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    set $proxy_value http://10.10.10.10:10;
    location / {
--- a/sites-enabled/example.conf.tplm.expanded
+++ b/sites-enabled/example.conf.tplm.expanded
@ -25,7 +25,7 @@ server {
    Определяет набор шифров (ciphers), которые могут использоваться для установления безопасных соединений.
    ssl_ciphers         HIGH:!aNULL:!MD5;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    proxy_redirect off;
    set $proxy_value https://10.10.10.10:10;
@ -85,7 +85,7 @@ server {
    #сервер будет выбирать шифры, которые он считает предпочтительными, а не те, которые предлагает клиент.
    ssl_prefer_server_ciphers on;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    set $proxy_value http://10.10.10.10:10;
    location / {
@ -111,6 +111,7 @@ server {

        #Доп. заголовки безопасности(на случай важных переговоров) на уровне клиента
        # !!! Использовать для разработки не рекомендую, возможен отвал башки
+        # Доп. описано в security.conf
        
        #предотвращает встраивание страницы в iframe, что защищает от атак типа "clickjacking".
        add_header X-Frame-Options DENY;
@ -139,7 +140,7 @@ server {
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    proxy_redirect off;
    set $proxy_value https://10.10.10.10:10;
@ -168,7 +169,7 @@ server {
    ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256';
    ssl_prefer_server_ciphers on;

-    include                 configuration/includes.conf;
+    include                 configuration/_includes.conf;

    set $proxy_value http://10.10.10.10:10;
    location / {