lfg2025/archy
1
0
Fork 0
Code Issues 9 Pull Requests Actions Packages Projects Releases 44 Wiki Activity
archy/image-recipe/configs/external-app-proxies.conf
Dorian 12ae3af981 feat: Phase 6 — nginx security headers, CSP hardening, rate limiting 
- CSP: removed unsafe-eval, tightened frame-src to self + host ports,
  added frame-ancestors, base-uri, form-action directives
- X-Frame-Options: SAMEORIGIN added after proxy_hide_header on all app proxies
- HSTS: max-age=31536000; includeSubDomains on all server blocks
- Rate limiting: 20r/s on /rpc/ with burst=40, 3r/s auth zone
- Added X-DNS-Prefetch-Control, Permissions-Policy payment=() header

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-18 00:57:16 +00:00

91 lines
3.0 KiB
Plaintext
Raw Blame History

# External web-only apps — reverse proxy to strip X-Frame-Options for iframe embedding
# Used by appLauncher.ts EXTERNAL_PROXY_PORT mapping
# Deployed to /etc/nginx/conf.d/external-app-proxies.conf
resolver 1.1.1.1 8.8.8.8 valid=300s;
resolver_timeout 5s;
# BotFights (botfights.net) → port 8901
server {
listen 8901;
server_name _;
location / {
set $upstream_botfights https://botfights.net;
proxy_pass $upstream_botfights;
proxy_http_version 1.1;
proxy_set_header Host botfights.net;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_ssl_server_name on;
proxy_ssl_name botfights.net;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect https://botfights.net/ /;
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
}
# 484 Kitchen (484.kitchen) → port 8902
server {
listen 8902;
server_name _;
location / {
set $upstream_484 https://484.kitchen;
proxy_pass $upstream_484;
proxy_http_version 1.1;
proxy_set_header Host 484.kitchen;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_ssl_server_name on;
proxy_ssl_name 484.kitchen;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect https://484.kitchen/ /;
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
}
# Arch Presentation (present.l484.com) → port 8903
server {
listen 8903;
server_name _;
location / {
set $upstream_present https://present.l484.com;
proxy_pass $upstream_present;
proxy_http_version 1.1;
proxy_set_header Host present.l484.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Accept-Encoding "";
proxy_ssl_server_name on;
proxy_ssl_name present.l484.com;
proxy_hide_header X-Frame-Options;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header Content-Security-Policy;
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_redirect https://present.l484.com/ /;
sub_filter_once off;
sub_filter_types text/html text/css application/javascript;
}
}
Reference in New Issue View Git Blame Copy Permalink