From 8884598a56d0e2550776ef4cee5e53558c20e009 Mon Sep 17 00:00:00 2001
From: Benjamin Bellamy <ben@podlibre.org>
Date: Mon, 16 Jan 2023 16:26:56 +0000
Subject: [PATCH] fix(docker): update nginx configuration

---
 docker/production/app/uploads.ini       |  1 +
 docker/production/web-server/nginx.conf | 48 ++++++++++++-------------
 2 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/docker/production/app/uploads.ini b/docker/production/app/uploads.ini
index 23b3c1cdf8..0262ec7c05 100644
--- a/docker/production/app/uploads.ini
+++ b/docker/production/app/uploads.ini
@@ -3,3 +3,4 @@ memory_limit = 512M
 upload_max_filesize = 500M
 post_max_size = 512M
 max_execution_time = 300
+max_input_time = 300
diff --git a/docker/production/web-server/nginx.conf b/docker/production/web-server/nginx.conf
index fc2e47a854..669c4f9b2c 100644
--- a/docker/production/web-server/nginx.conf
+++ b/docker/production/web-server/nginx.conf
@@ -35,44 +35,42 @@ http {
 
         root /var/www/html;
 
-        index index.php index.html index.htm;
+        server_tokens off;
+        add_header X-Frame-Options sameorigin always;
+        add_header Permissions-Policy interest-cohort=();
+        add_header X-Content-Type-Options nosniff;
+        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;";
+        client_max_body_size 512M;
+        client_body_timeout 300s;
 
-        client_max_body_size 1G;
         fastcgi_buffers 64 4K;
 
         gzip on;
         gzip_vary on;
         gzip_comp_level 4;
         gzip_min_length 256;
-        gzip_types application/atom+xml application/javascript audio/mpeg application/rss+xml image/bmp image/png image/jpeg image/webp image/svg+xml image/x-icon video/mp4 text/css text/plain text/html;
+        gzip_types application/atom+xml application/javascript application/rss+xml image/bmp image/svg+xml image/x-icon text/css text/plain text/html;
 
-	location ~ /.*\.(png|ico|txt|js|js\.map)$ {
-            try_files $uri =404;
-        }
-
-        location ~ /(assets|media)/.*$ {
-            try_files $uri =404;
-        }
+        try_files $uri $uri/ /index.php?$args;
+        index index.php index.html;
 
-        location /.well-known/GDPR.yml {
-            try_files $uri =404;
-        }
-
-        location / {
-            fastcgi_param SCRIPT_FILENAME /opt/castopod/public/index.php;
+        location ~ \.php$ {
             include fastcgi_params;
-	    fastcgi_param SERVER_NAME $host;
+            fastcgi_intercept_errors on;
             fastcgi_index index.php;
-            fastcgi_pass php-handler;
+            fastcgi_param SERVER_NAME $host;
+            fastcgi_pass php-handler;            
+            fastcgi_param SCRIPT_FILENAME /opt/castopod/public/$fastcgi_script_name;
+            try_files $uri =404;
+            fastcgi_read_timeout 3600;
+            fastcgi_send_timeout 3600;            
         }
 
-        location ~ \.php$ {
-            try_files $uri =404;
-            fastcgi_param SCRIPT_FILENAME /opt/castopod/public/$fastcgi_script_name;
-            include fastcgi_params;
-	    fastcgi_param SERVER_NAME $host;
-            fastcgi_index index.php;
-            fastcgi_pass php-handler;
+        location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|woff2|eot|mp4|ogg|ogv|webm|webp|zip|swf|map)$ {
+            add_header Access-Control-Allow-Origin "*";
+            expires max;
+            access_log off;
         }
+
     }
 }
-- 
GitLab