6ea457d01d
- Nginx configs with security headers (X-Frame-Options, CSP, etc.) - fail2ban jails for nginx (botsearch, bad-request, forbidden) - Kernel hardening via sysctl (rp_filter, no redirects, log martians) - SSH hardening (no root, max 3 attempts, no X11) - UFW rules export - Idempotent setup.sh to restore all configs on fresh install - Flask bound to 127.0.0.1 (nginx-only access) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
27 lines
735 B
Plaintext
27 lines
735 B
Plaintext
server {
|
|
listen 80;
|
|
listen 8080;
|
|
server_name island37.com www.island37.com;
|
|
|
|
root /var/www/html;
|
|
index index.html;
|
|
|
|
# Security headers
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header X-Content-Type-Options "nosniff" always;
|
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
|
|
location /api/ {
|
|
proxy_pass http://localhost:3031/api/;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
add_header Access-Control-Allow-Origin "https://island37.com" always;
|
|
}
|
|
|
|
location / {
|
|
try_files $uri $uri/ /index.html;
|
|
}
|
|
}
|