56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
|
# =============================================================================
|
|||
|
|
# vHost – HTTP only. Security-Header & TLS sind Aufgabe des äußeren Proxys.
|
|||
|
|
# =============================================================================
|
|||
|
|
|
|||
|
|
# Vom äußeren Proxy weitergereichte Header vertrauen – aber NUR aus dem
|
|||
|
|
# Docker-Netz oder von der bekannten Proxy-IP. Bei Bedarf set_real_ip_from
|
|||
|
|
# auf das CIDR des Proxys einschränken.
|
|||
|
|
set_real_ip_from 0.0.0.0/0;
|
|||
|
|
real_ip_header X-Forwarded-For;
|
|||
|
|
real_ip_recursive on;
|
|||
|
|
|
|||
|
|
server {
|
|||
|
|
listen 80 default_server;
|
|||
|
|
listen [::]:80 default_server;
|
|||
|
|
server_name _;
|
|||
|
|
|
|||
|
|
# Healthcheck (für äußeren Proxy & Compose-Healthcheck)
|
|||
|
|
location = /healthz {
|
|||
|
|
access_log off;
|
|||
|
|
return 200 "ok\n";
|
|||
|
|
add_header Content-Type text/plain;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
limit_conn conn_per_ip 20;
|
|||
|
|
|
|||
|
|
# Login strikter limitieren
|
|||
|
|
location ~ ^/(accounts/login|admin/login) {
|
|||
|
|
limit_req zone=login burst=3 nodelay;
|
|||
|
|
proxy_pass http://django_app;
|
|||
|
|
include /etc/nginx/conf.d/proxy_params.inc;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Statische Dateien
|
|||
|
|
location /static/ {
|
|||
|
|
alias /var/www/static/;
|
|||
|
|
access_log off;
|
|||
|
|
expires 7d;
|
|||
|
|
add_header Cache-Control "public, immutable";
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# Geschützte Media (PDFs) – nur per X-Accel-Redirect aus Django ausspielen
|
|||
|
|
location /protected-media/ {
|
|||
|
|
internal;
|
|||
|
|
alias /var/www/media/;
|
|||
|
|
}
|
|||
|
|
|
|||
|
|
# App
|
|||
|
|
location / {
|
|||
|
|
limit_req zone=app burst=50 nodelay;
|
|||
|
|
proxy_pass http://django_app;
|
|||
|
|
include /etc/nginx/conf.d/proxy_params.inc;
|
|||
|
|
proxy_read_timeout 120s;
|
|||
|
|
proxy_send_timeout 120s;
|
|||
|
|
}
|
|||
|
|
}
|