blob: 9c80ede27b07dde7b1b4bae227883518676a8c41 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
server {
listen unix:/var/run/tor/pablotron.sock;
server_name pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion;
root /store/www/pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion/htdocs;
index index.html;
access_log /var/log/nginx/pablotron-access.log;
# enable compression, compress common types
gzip on;
gzip_types text/html text/plain text/xml text/css text/javascript application/x-javascript text/csv application/json text/json image/svg+xml;
# security headers (see comments in apache config)
add_header "X-Frame-Options" "SAMEORIGIN";
add_header "X-Content-Type-Options" "nosniff";
add_header "Cross-Origin-Opener-Policy" "same-origin";
add_header "Cross-Origin-Resource-Policy" "same-origin";
add_header "Access-Control-Allow-Origin" "http://pablotronfils76sk6pwvyoosvfjbhxe3sn4c654e4na4szidbnbqdyd.onion";
add_header "Referrer-Policy" "strict-origin-when-cross-origin";
add_header "Permissions-Policy" "camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=()";
# different from apache; POST method not needed
add_header "Access-Control-Allow-Methods" "GET, HEAD, OPTIONS";
location ~ \.(ico|jpg|jpeg|png|gif|webp|svg|js|json|css)$ {
# cache images, stylesheets, and javascript for 1 year
# note: caching makes a BIG difference when browsing via tor
expires 1y;
}
location ~ \.svg$ {
# relax Content-Security-Policy for SVGs to allow
# `style-src-attr 'unsafe-inline'`
add_header "Content-Security-Policy" "default-src 'self'; img-src 'self'; style-src-attr 'self' 'unsafe-inline'";
}
location ^~ \.svg$ {
# default Content-Security-Policy
add_header "Content-Security-Policy" "default-src 'self'; img-src 'self' https://pmdn.org";
}
}
|
