update nginx conf and use official nginx container

zacharyfleck · zacharyfleck · commit d5fd2cab8286 · 2026-02-02T23:02:37.000-05:00
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -22,7 +22,7 @@ jobs:
           node-version: 24
       - name: Setup Node Modules and Angular
         run: |
-          npm ci && \
+          npm i && \
           npm install -g @angular/cli@21
       - name: Lint Application
         run: ng lint
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,10 @@
-FROM node:20 AS build
+FROM node:24 AS build
 WORKDIR /app
 COPY ./ .
-RUN npm ci && \
-    npm install -g @angular/cli@17 && \
+RUN npm i && \
+    npm install -g @angular/cli@21 && \
     ng build
 
-FROM bitnami/nginx:latest AS final
-USER root
-RUN apt-get update && apt-get upgrade -y
-USER 1001
-COPY nginx.conf /opt/bitnami/nginx/conf/server_blocks/nginx.conf
-COPY --from=build /app/dist/website/browser* /app
+FROM nginx:1.29.4-alpine AS final
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+COPY --from=build /app/dist/website/browser* /usr/share/nginx/html
diff --git a/nginx.conf b/nginx.conf
@@ -1,33 +1,58 @@
+map $request_id $csp_nonce {
+    default $request_id;
+}
+
 server {
-    listen 80;
-    root /app;
+    listen 80 default_server;
+    server_name _;
+
+    root /usr/share/nginx/html;
     index index.html;
 
-    # Set security headers to protect against common web vulnerabilities
-    add_header X-Frame-Options "DENY";
-    add_header X-Content-Type-Options "nosniff";
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-    add_header Content-Security-Policy "default-src 'self' https://*.thefirepanel.com; worker-src 'self' blob:; style-src 'self' 'unsafe-inline' 'nonce-$request_id' https://fonts.googleapis.com; script-src 'unsafe-inline' 'self' 'nonce-$request_id'; font-src 'self' https://fonts.gstatic.com; img-src 'self' https://i.ytimg.com data:; base-uri 'self'; object-src 'none'; connect-src *; frame-src https://www.youtube.com;";
+    # -------------------------
+    # Security headers
+    # -------------------------
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always;
 
+    add_header Content-Security-Policy "
+        default-src 'self' https://*.thefirepanel.com;
+        base-uri 'self';
+        object-src 'none';
+        frame-ancestors 'none';
+        worker-src 'self' blob:;
+        style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+        script-src 'self' 'nonce-$csp_nonce';
+        font-src 'self' https://fonts.gstatic.com;
+        img-src 'self' https://i.ytimg.com data:;
+        connect-src *;
+        frame-src https://www.youtube.com;
+    " always;
+
+    # -------------------------
+    # Redirects
+    # -------------------------
     location ~ ^/(team|author)/ {
-        return 301 /about;
+        return 308 /about;
     }
 
     location = /wiki/ndevices/simplexmnc/ {
-        return 301 /tools;
+        return 308 /tools;
     }
 
     location ~ ^/(wiki|blog|tag)/ {
-        return 301 https://wiki.thefirepanel.com;
+        return 308 https://wiki.thefirepanel.com$request_uri;
     }
 
-    # Define location block for handling requests
+    # -------------------------
+    # SPA handling
+    # -------------------------
     location / {
-        # Try serving the requested URI, fall back to index.html if not found
-        try_files $uri /index.html;
-        # Enable nonce on app to protect with CSP
+        try_files $uri $uri/ /index.html;
+
         sub_filter_once off;
-        sub_filter random_nonce_value $request_id;
+        sub_filter random_nonce_value $csp_nonce;
     }
 }
