From 9fc266b01aef5adf4410699870c607b4b9d7a67b Mon Sep 17 00:00:00 2001 From: Edwin Lyon Date: Tue, 9 Aug 2022 13:17:58 -0700 Subject: [PATCH] Add 'sites-enabled/jenkins' --- sites-enabled/jenkins | 112 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 sites-enabled/jenkins diff --git a/sites-enabled/jenkins b/sites-enabled/jenkins new file mode 100644 index 0000000..fdd1b74 --- /dev/null +++ b/sites-enabled/jenkins @@ -0,0 +1,112 @@ +upstream jenkins { + keepalive 32; + server localhost:8080; +} + +geo $limit { + default 1; + 10.0.0.0/8 0; +} + +map $limit $limit_key { + 0 ""; + 1 $binary_remote_addr; +} + +limit_req_zone $limit_key zone=req_zone:20m rate=35r/s; +limit_req_zone $binary_remote_addr zone=req_zone_wl:20m rate=50r/s; +limit_req_status 429; + +server { + listen 80; + listen [::]:80; + server_name jenkins.thelyoncompany.com; + + add_header X-XSS-Protection "1; mode=block"; + add_header X-Frame-Options "SAMEORIGIN"; + add_header Referrer-Policy "no-referrer-when-downgrade"; + + location / { + return 301 https://jenkins.thelyoncompany.com$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name jenkins.thelyoncompany.com; + + ssl_certificate "/etc/nginx/ssl/jenkins.pem"; + ssl_certificate_key "/etc/nginx/ssl/jenkins-key.pem"; + ssl_trusted_certificate "/etc/nginx/ssl/jenkins.pem"; + + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "no-referrer-when-downgrade" always; + add_header Content-Security-Policy "default-src 'none'; img-src 'self' 'http://www.w3.org'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; child-src 'self'; frame-src 'self'; frame-ancestors 'self';" always; + add_header Permissions-Policy "accelerometer=(), magnetometer=(), gyroscope=(), geolocation=(), midi=(), payment=(), camera=(), microphone=(), interest-cohort=()" always; + add_header Feature-Policy "accelerometer 'none'; magnetometer 'none'; gyroscope 'none'; geolocation 'none'; midi 'none'; payment 'none'; camera 'none'; microphone 'none';" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Permitted-Cross-Domain-Policies "none" always; + add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0" always; + add_header Pragma "no-cache" always; + + ignore_invalid_headers off; + + location ~ /\.(?!well-known) { + deny all; + } + + include /etc/nginx/default.d/*.conf; + + location = /robots.txt { + add_header Content-Type text/plain; + return 200 "User-agent: *\nDisallow: /\n"; + } + + location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" { + add_header X-Robots-Tag "noindex, nofollow, nocache" always; + rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last; + } + + location /userContent { + add_header X-Robots-Tag "noindex, nofollow, nocache" always; + root /var/lib/jenkins/; + if (!-f $request_filename){ + rewrite (.*) /$1 last; + break; + } + sendfile on; + } + + location / { + sendfile off; + limit_req zone=req_zone burst=50 nodelay; + limit_req zone=req_zone_wl burst=50 nodelay; + limit_req_status 429; + proxy_pass http://jenkins; + proxy_redirect default; + proxy_http_version 1.1; + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header Forwarded $proxy_add_forwarded; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + proxy_max_temp_file_size 0; + + client_max_body_size 10m; + client_body_buffer_size 128k; + + proxy_connect_timeout 90; + proxy_send_timeout 90; + proxy_read_timeout 90; + proxy_buffering off; + proxy_request_buffering off; + proxy_set_header Connection ""; + } +} \ No newline at end of file