From d29210aa754f149e56e8dd6656eb5ebb68ff4ff1 Mon Sep 17 00:00:00 2001
From: Tagadda <36127788+Tagadda@users.noreply.github.com>
Date: Fri, 7 Jul 2023 23:04:37 +0200
Subject: Update nginx.conf

---
 conf/nginx.conf | 99 +++++++++++++++++++++++++++++++++++++++++----------------
 1 file changed, 71 insertions(+), 28 deletions(-)

(limited to 'conf')

diff --git a/conf/nginx.conf b/conf/nginx.conf
index 19c2c01..6af1000 100644
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@@ -1,7 +1,5 @@
-# upload max size
-client_max_body_size 100M;
+client_max_body_size 99m;
 
-# add to v1.4 assets
 root __FINALPATH__/live/public;
 
 location / {
@@ -13,56 +11,101 @@ location / {
   include conf.d/yunohost_panel.conf.inc;
 }
 
-location ~ ^/(emoji|packs|system/accounts/avatars|system/media_attachments/files) {
-  more_set_headers "Cache-Control: public, max-age=31536000, immutable";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
-  try_files $uri @proxy;
+location ~ /sw.js {
+  more_set_headers "Cache-Control: public, max-age=604800, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
 }
 
-location /sw.js {
-  more_set_headers "Cache-Control: public, max-age=0";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
-  try_files $uri @proxy;
+location ~ ^/assets/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
 }
 
-location @proxy {
+location ~ ^/avatars/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/emoji/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/headers/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/packs/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/shortcuts/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/sounds/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, must-revalidate";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  try_files $uri =404;
+}
+
+location ~ ^/system/ {
+  more_set_headers "Cache-Control: public, max-age=2419200, immutable";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
+  more_set_headers "X-Content-Type-Option: nosniff";
+  more_set_headers "Content-Security-Policy: default-src 'none'; form-action 'none'";
+  try_files $uri =404;
+}
+
+location ^~ /api/v1/streaming {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Proxy "";
-  proxy_pass_header Server;
 
-  proxy_pass http://127.0.0.1:__PORT_WEB__;
-  proxy_buffering on;
+  proxy_pass http://127.0.0.1:__PORT_STREAM__;
+  proxy_buffering off;
   proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
+  proxy_set_header Connection $connection_upgrade;
 
-  #proxy_cache CACHE;
-  proxy_cache_valid 200 7d;
-  proxy_cache_valid 410 24h;
-  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
-  more_set_headers "X-Cached: $upstream_cache_status";
-  more_set_headers "Strict-Transport-Security: max-age=31536000";
+  more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";
 
   tcp_nodelay on;
 }
 
-location /api/v1/streaming {
+location @proxy {
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto https;
+  proxy_set_header X-Forwarded-Proto $scheme;
   proxy_set_header Proxy "";
+  proxy_pass_header Server;
 
-  proxy_pass http://127.0.0.1:__PORT_STREAM__;
-  proxy_buffering off;
+  proxy_pass http://127.0.0.1:__PORT_WEB__;
+  proxy_buffering on;
   proxy_redirect off;
   proxy_http_version 1.1;
   proxy_set_header Upgrade $http_upgrade;
-  proxy_set_header Connection "upgrade";
+  proxy_set_header Connection $connection_upgrade;
+
+  proxy_cache CACHE;
+  proxy_cache_valid 200 7d;
+  proxy_cache_valid 410 24h;
+  proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
+  more_set_headers "X-Cached: $upstream_cache_status";
 
   tcp_nodelay on;
 }
-- 
cgit v1.2.3-70-g09d2