upstream jenkins { keepalive 32; server localhost:8080; } geo $limit { default 1; 10.0.0.0/8 0; } map $limit $limit_key { 0 ""; 1 $binary_remote_addr; } limit_req_zone $limit_key zone=req_zone:20m rate=35r/s; limit_req_zone $binary_remote_addr zone=req_zone_wl:20m rate=50r/s; limit_req_status 429; server { listen 80; listen [::]:80; server_name jenkins.thelyoncompany.com; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options "SAMEORIGIN"; add_header Referrer-Policy "no-referrer-when-downgrade"; location / { return 301 https://jenkins.thelyoncompany.com$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name jenkins.thelyoncompany.com; ssl_certificate "/etc/nginx/ssl/jenkins.pem"; ssl_certificate_key "/etc/nginx/ssl/jenkins-key.pem"; ssl_trusted_certificate "/etc/nginx/ssl/jenkins.pem"; add_header X-XSS-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Referrer-Policy "no-referrer-when-downgrade" always; add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://www.w3.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src 'self'; child-src 'self'; frame-src 'self'; frame-ancestors 'self';" always; add_header Permissions-Policy "accelerometer=(), magnetometer=(), gyroscope=(), geolocation=(), midi=(), payment=(), camera=(), microphone=(), interest-cohort=()" always; add_header Feature-Policy "accelerometer 'none'; magnetometer 'none'; gyroscope 'none'; geolocation 'none'; midi 'none'; payment 'none'; camera 'none'; microphone 'none';" always; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0" always; add_header Pragma "no-cache" always; ignore_invalid_headers off; location ~ /\.(?!well-known) { deny all; } include /etc/nginx/default.d/*.conf; location = /robots.txt { add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; } location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" { add_header X-Robots-Tag "noindex, nofollow, nocache" always; rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last; } location /userContent { add_header X-Robots-Tag "noindex, nofollow, nocache" always; root /var/lib/jenkins/; if (!-f $request_filename){ rewrite (.*) /$1 last; break; } sendfile on; } location / { sendfile off; limit_req zone=req_zone burst=50 nodelay; limit_req zone=req_zone_wl burst=50 nodelay; limit_req_status 429; proxy_pass http://jenkins; proxy_redirect default; proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Forwarded $proxy_add_forwarded; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_max_temp_file_size 0; client_max_body_size 10m; client_body_buffer_size 128k; proxy_connect_timeout 90; proxy_send_timeout 90; proxy_read_timeout 90; proxy_buffering off; proxy_request_buffering off; proxy_set_header Connection ""; } }