140 lines
4.8 KiB
Nginx Configuration File
140 lines
4.8 KiB
Nginx Configuration File
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name localhost;
|
|
root /usr/share/nginx/html;
|
|
index index.html;
|
|
|
|
# Security headers
|
|
|
|
# Content Security Policy (CSP) - Protection contre XSS
|
|
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https://www.google-analytics.com https://www.googletagmanager.com; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; require-trusted-types-for 'script';" always;
|
|
|
|
# HTTP Strict Transport Security (HSTS) - Force HTTPS
|
|
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
|
|
|
# Cross-Origin-Opener-Policy (COOP) - Isolation de l'origine
|
|
add_header Cross-Origin-Opener-Policy "same-origin" always;
|
|
|
|
# Cross-Origin-Resource-Policy (CORP)
|
|
add_header Cross-Origin-Resource-Policy "same-origin" always;
|
|
|
|
# Cross-Origin-Embedder-Policy (COEP)
|
|
add_header Cross-Origin-Embedder-Policy "require-corp" always;
|
|
|
|
# Protection contre le clickjacking
|
|
add_header X-Frame-Options "DENY" always;
|
|
|
|
# Protection contre le MIME type sniffing
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
|
|
# Protection XSS (legacy)
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
# Referrer Policy - Contrôle des informations envoyées
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
|
|
# Permissions Policy - Contrôle des fonctionnalités du navigateur
|
|
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=()" always;
|
|
|
|
# Gzip compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_min_length 256;
|
|
gzip_types
|
|
text/plain
|
|
text/css
|
|
text/xml
|
|
text/javascript
|
|
application/json
|
|
application/javascript
|
|
application/xml+rss
|
|
application/rss+xml
|
|
font/truetype
|
|
font/opentype
|
|
application/vnd.ms-fontobject
|
|
image/svg+xml
|
|
application/wasm;
|
|
|
|
# Brotli compression (si supporté par nginx)
|
|
# brotli on;
|
|
# brotli_comp_level 6;
|
|
# brotli_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;
|
|
|
|
# Cache static assets - Images WebP
|
|
location ~* \.(webp)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
add_header Vary "Accept-Encoding";
|
|
access_log off;
|
|
|
|
# Préchargement HTTP/2 Server Push (optionnel)
|
|
# http2_push_preload on;
|
|
}
|
|
|
|
# Cache static assets - Images
|
|
location ~* \.(jpg|jpeg|png|gif|ico|svg)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
add_header Vary "Accept-Encoding";
|
|
access_log off;
|
|
}
|
|
|
|
# Cache static assets - CSS/JS avec hash (versionnés)
|
|
location ~* \.(css|js)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
add_header Vary "Accept-Encoding";
|
|
access_log off;
|
|
|
|
# Précharger les ressources critiques
|
|
add_header Link "</assets/fonts/inter.woff2>; rel=preload; as=font; type=font/woff2; crossorigin" always;
|
|
}
|
|
|
|
# Cache static assets - Fonts
|
|
location ~* \.(woff|woff2|ttf|otf|eot)$ {
|
|
expires 1y;
|
|
add_header Cache-Control "public, immutable";
|
|
add_header Access-Control-Allow-Origin "*";
|
|
access_log off;
|
|
}
|
|
|
|
# SPA fallback - toutes les routes vers index.html
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
|
|
# HTTP/2 Server Push pour les ressources critiques (si supporté)
|
|
# http2_push /assets/css/index.css;
|
|
# http2_push /assets/js/index.js;
|
|
}
|
|
|
|
# Disable cache for index.html
|
|
location = /index.html {
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate" always;
|
|
add_header Pragma "no-cache" always;
|
|
add_header Expires "0" always;
|
|
|
|
# Ajout de Link headers pour preconnect
|
|
add_header Link "<https://fonts.googleapis.com>; rel=preconnect" always;
|
|
add_header Link "<https://fonts.gstatic.com>; rel=preconnect; crossorigin" always;
|
|
}
|
|
|
|
# Disable cache for service worker if you add one later
|
|
location = /service-worker.js {
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate";
|
|
add_header Pragma "no-cache";
|
|
add_header Expires "0";
|
|
}
|
|
|
|
# Error pages
|
|
error_page 404 /index.html;
|
|
|
|
# Optimisation supplémentaire
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
sendfile on;
|
|
keepalive_timeout 65;
|
|
}
|