Merge pull request #243 from puzzle/239-task-update-nginx-config-to-include-security-headers

chrira · web-flow · commit 9abf051d401e · 2025-07-15T08:00:15.000+02:00
Update Dockerfile and add nginx configuration
diff --git a/Dockerfile b/Dockerfile
@@ -19,14 +19,18 @@ COPY --from=builder /src/public /
 
 RUN wkhtmltopdf --outline-depth 4 --enable-internal-links --enable-local-file-access  ./pdf/index.html /pdf.pdf
 
-FROM nginxinc/nginx-unprivileged:1.27-alpine
-
-LABEL maintainer puzzle.ch
-LABEL org.opencontainers.image.title "puzzle.ch's Application Migration and Modernization Techlab"
-LABEL org.opencontainers.image.description "Container with puzzle.ch's Application Migration and Modernization Techlab content"
-LABEL org.opencontainers.image.authors puzzle.ch
-LABEL org.opencontainers.image.source https://github.com/puzzle/amm-techlab/
-LABEL org.opencontainers.image.licenses CC-BY-SA-4.0
+FROM docker.io/nginxinc/nginx-unprivileged:1.28-alpine
+
+LABEL maintainer="Puzzle ITC <https://www.puzzle.ch/>"
+LABEL org.opencontainers.image.authors="Puzzle ITC <https://www.puzzle.ch/>"
+LABEL org.opencontainers.image.title="puzzle.ch's Application Migration and Modernization Techlab"
+LABEL org.opencontainers.image.description="Container with puzzle.ch's Application Migration and Modernization Techlab content"
+LABEL org.opencontainers.image.source="https://github.com/puzzle/amm-techlab/"
+LABEL org.opencontainers.image.licenses="CC-BY-SA-4.0"
+
+USER root
+COPY nginx.conf /etc/nginx/nginx.conf
+USER 101
 
 EXPOSE 8080
 
diff --git a/nginx.conf b/nginx.conf
@@ -0,0 +1,59 @@
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log notice;
+pid        /tmp/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    port_in_redirect        off;
+    proxy_temp_path         /tmp/proxy_temp;
+    client_body_temp_path   /tmp/client_temp;
+    fastcgi_temp_path       /tmp/fastcgi_temp;
+    uwsgi_temp_path         /tmp/uwsgi_temp;
+    scgi_temp_path          /tmp/scgi_temp;
+
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log          /var/log/nginx/access.log  main;
+    sendfile            on;
+    keepalive_timeout   65;
+
+    server {
+        add_header X-Frame-Options "SAMEORIGIN";
+        add_header X-Content-Type-Options "nosniff";
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+        add_header Cross-Origin-Embedder-Policy "require-corp";
+        add_header Cross-Origin-Resource-Policy "same-origin";
+        add_header Cross-Origin-Opener-Policy "same-origin";
+        add_header X-Permitted-Cross-Domain-Policies "none";
+        add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()";
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self' unpkg.com cdn.jsdelivr.net code.jquery.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com cdn.jsdelivr.net; font-src 'self' fonts.gstatic.com cdn.jsdelivr.net";
+
+        proxy_hide_header X-Powered-By;
+
+        listen       8080;
+        server_name  localhost;
+        server_tokens off;
+
+        location / {
+            root   /usr/share/nginx/html;
+            index  index.html index.htm;
+        }
+
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   /usr/share/nginx/html;
+        }
+    }
+
+}
