# Configuration Nginx pour Secure Proxy OIDC upstream secure_proxy { server localhost:3000; } server { listen 80; server_name secure.k2r.ovh; # Redirection HTTPS return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; server_name secure.k2r.ovh; # Certificats SSL (Let's Encrypt) ssl_certificate /etc/letsencrypt/live/secure.k2r.ovh/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/secure.k2r.ovh/privkey.pem; # Configuration SSL recommandée ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # Headers de sécurité add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "1; mode=block" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; # Proxy settings location / { proxy_pass http://secure_proxy; proxy_http_version 1.1; # Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Connection "upgrade"; proxy_set_header Upgrade $http_upgrade; # Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s; # Buffering proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 4k; proxy_busy_buffers_size 8k; } # Désactiver le caching des fichiers sensibles location ~ \.(js|css|html)$ { proxy_pass http://secure_proxy; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_cache_bypass $http_pragma $http_authorization; expires 1h; } }