You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
112 lines
4.3 KiB
112 lines
4.3 KiB
upstream jenkins {
|
|
keepalive 32;
|
|
server localhost:8080;
|
|
}
|
|
|
|
geo $limit {
|
|
default 1;
|
|
10.0.0.0/8 0;
|
|
}
|
|
|
|
map $limit $limit_key {
|
|
0 "";
|
|
1 $binary_remote_addr;
|
|
}
|
|
|
|
limit_req_zone $limit_key zone=req_zone:20m rate=35r/s;
|
|
limit_req_zone $binary_remote_addr zone=req_zone_wl:20m rate=50r/s;
|
|
limit_req_status 429;
|
|
|
|
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
server_name jenkins.thelyoncompany.com;
|
|
|
|
add_header X-XSS-Protection "1; mode=block";
|
|
add_header X-Frame-Options "SAMEORIGIN";
|
|
add_header Referrer-Policy "no-referrer-when-downgrade";
|
|
|
|
location / {
|
|
return 301 https://jenkins.thelyoncompany.com$request_uri;
|
|
}
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl http2;
|
|
listen [::]:443 ssl http2;
|
|
server_name jenkins.thelyoncompany.com;
|
|
|
|
ssl_certificate "/etc/nginx/ssl/jenkins.pem";
|
|
ssl_certificate_key "/etc/nginx/ssl/jenkins-key.pem";
|
|
ssl_trusted_certificate "/etc/nginx/ssl/jenkins.pem";
|
|
|
|
add_header X-XSS-Protection "1; mode=block" always;
|
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
|
add_header Referrer-Policy "no-referrer-when-downgrade" always;
|
|
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://www.w3.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'none'; connect-src 'self'; child-src 'self'; frame-src 'self'; frame-ancestors 'self';" always;
|
|
add_header Permissions-Policy "accelerometer=(), magnetometer=(), gyroscope=(), geolocation=(), midi=(), payment=(), camera=(), microphone=(), interest-cohort=()" always;
|
|
add_header Feature-Policy "accelerometer 'none'; magnetometer 'none'; gyroscope 'none'; geolocation 'none'; midi 'none'; payment 'none'; camera 'none'; microphone 'none';" always;
|
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
|
add_header X-Permitted-Cross-Domain-Policies "none" always;
|
|
add_header Cache-Control "no-cache, no-store, must-revalidate, max-age=0" always;
|
|
add_header Pragma "no-cache" always;
|
|
|
|
ignore_invalid_headers off;
|
|
|
|
location ~ /\.(?!well-known) {
|
|
deny all;
|
|
}
|
|
|
|
include /etc/nginx/default.d/*.conf;
|
|
|
|
location = /robots.txt {
|
|
add_header Content-Type text/plain;
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
}
|
|
|
|
location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
|
|
add_header X-Robots-Tag "noindex, nofollow, nocache" always;
|
|
rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
|
|
}
|
|
|
|
location /userContent {
|
|
add_header X-Robots-Tag "noindex, nofollow, nocache" always;
|
|
root /var/lib/jenkins/;
|
|
if (!-f $request_filename){
|
|
rewrite (.*) /$1 last;
|
|
break;
|
|
}
|
|
sendfile on;
|
|
}
|
|
|
|
location / {
|
|
sendfile off;
|
|
limit_req zone=req_zone burst=50 nodelay;
|
|
limit_req zone=req_zone_wl burst=50 nodelay;
|
|
limit_req_status 429;
|
|
proxy_pass http://jenkins;
|
|
proxy_redirect default;
|
|
proxy_http_version 1.1;
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header Forwarded $proxy_add_forwarded;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_max_temp_file_size 0;
|
|
|
|
client_max_body_size 10m;
|
|
client_body_buffer_size 128k;
|
|
|
|
proxy_connect_timeout 90;
|
|
proxy_send_timeout 90;
|
|
proxy_read_timeout 90;
|
|
proxy_buffering off;
|
|
proxy_request_buffering off;
|
|
proxy_set_header Connection "";
|
|
}
|
|
} |