vantzs/corrosion-admin-panel
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 18 Wiki Activity

chore: Harden Docker and Nginx configuration
All checks were successful
Test Asgard Runner / test (push) Successful in 4s
Details

Browse Source 
- Pin NATS image to nats:2.10-alpine for reproducible builds
- Add nginx healthcheck using wget (curl not present in alpine)
- Upgrade nginx depends_on to use condition: service_started
- Add proxy buffer directives to http block (prevents JWT/large-header truncation)
- Add X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and
  Referrer-Policy security headers to all SPA location blocks across
  all five server blocks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
2026-02-21 13:35:25 -05:00
parent 8bb6cc0890
commit 1579a47cad
2 changed files with 34 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
docker/docker-compose.yml
View File

@@ -17,7 +17,7 @@ services:
retries: 5 retries: 5
nats: nats:
image: nats:latest image: nats:2.10-alpine
container_name: corrosion-nats container_name: corrosion-nats
command: command:
- "--config=/etc/nats/nats.conf" - "--config=/etc/nats/nats.conf"
@@ -77,7 +77,14 @@ services:
- ./nginx.conf:/etc/nginx/nginx.conf:ro - ./nginx.conf:/etc/nginx/nginx.conf:ro
- map_data:/data/maps:ro - map_data:/data/maps:ro
depends_on: depends_on:
- api api:
condition: service_started
healthcheck:
test: ["CMD-SHELL", "wget -q --spider http://localhost:80/ || exit 1"]
interval: 10s
timeout: 5s
retries: 3
start_period: 10s
volumes: volumes:
pg_data: pg_data:

25
docker/nginx.conf
View File

@@ -13,6 +13,11 @@ http {
types_hash_max_size 2048; types_hash_max_size 2048;
client_max_body_size 250M; # Map uploads up to 200MB + overhead client_max_body_size 250M; # Map uploads up to 200MB + overhead
# Proxy buffer sizing — prevents JWT/large-header truncation on redirect
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
# Gzip # Gzip
gzip on; gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml; gzip_types text/plain text/css application/json application/javascript text/xml;
@@ -64,6 +69,11 @@ http {
location / { location / {
root /usr/share/nginx/html; root /usr/share/nginx/html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
} }
} }
@@ -86,6 +96,11 @@ http {
location / { location / {
root /usr/share/nginx/html; root /usr/share/nginx/html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
} }
} }
@@ -127,6 +142,11 @@ http {
location / { location / {
root /usr/share/nginx/html; root /usr/share/nginx/html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
} }
} }
@@ -146,6 +166,11 @@ http {
location / { location / {
root /usr/share/nginx/html; root /usr/share/nginx/html;
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
} }
} }