Skip to content

Commit 619f4f7

Browse files
Harden Nginx configuration for production VPS deployment
1 parent 2aabab1 commit 619f4f7

1 file changed

Lines changed: 27 additions & 2 deletions

File tree

pythoncms/cli.py

Lines changed: 27 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -161,16 +161,41 @@ def deploy():
161161
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "--workers", "4", "pythoncms.app:create_app('production')"]
162162
"""
163163

164-
nginx_content = """server {
164+
nginx_content = """# Hardened Nginx Config for PythonCMS
165+
server {
165166
listen 80;
166-
server_name localhost;
167+
server_name localhost; # Replace with your domain
168+
169+
# Security Headers
170+
add_header X-Frame-Options "SAMEORIGIN";
171+
add_header X-XSS-Protection "1; mode=block";
172+
add_header X-Content-Type-Options "nosniff";
173+
add_header Referrer-Policy "no-referrer-when-downgrade";
174+
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline';";
175+
176+
# Gzip Compression
177+
gzip on;
178+
gzip_vary on;
179+
gzip_min_length 10240;
180+
gzip_proxied expired no-cache no-store private auth;
181+
gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
182+
gzip_disable "MSIE [1-6]\\.";
183+
184+
# Max upload size
185+
client_max_body_size 20M;
167186
168187
location / {
169188
proxy_pass http://web:8000;
170189
proxy_set_header Host $host;
171190
proxy_set_header X-Real-IP $remote_addr;
172191
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
173192
proxy_set_header X-Forwarded-Proto $scheme;
193+
194+
# Proxy timeouts
195+
proxy_connect_timeout 600;
196+
proxy_send_timeout 600;
197+
proxy_read_timeout 600;
198+
send_timeout 600;
174199
}
175200
176201
location /static/ {

0 commit comments

Comments
 (0)