vvpolyakova/web-crm.mcmed.ru
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9d90c91d6cc737aca2fd1faf70af4d8dafcdfb4
web-crm.mcmed.ru/crm.mcmed.ru
Viktoria Polyakova d9d90c91d6 Remove Google Analytics and Google Tag Manager from Content Security Policy 
Removed Google Analytics and Google Tag Manager domains from the Content Security Policy headers to disable tracking and analytics functionality on the CRM application. This change affects both the main CSP header and the legacy X-Content-Security-Policy header for backward compatibility.
2026-01-27 23:35:32 +03:00

151 lines
7.7 KiB
Ruby
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
upstream crm {
server 127.0.0.1:8000;
}
# Основной HTTPS сервер с улучшенной безопасностью
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name crm.mcmed.ru;
root /opt/crm/frontend/build;
# SSL конфигурация
ssl_certificate /etc/letsencrypt/live/crm.mcmed.ru/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/crm.mcmed.ru/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/crm.mcmed.ru/chain.pem;
# Современные SSL настройки
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://cdn.jsdelivr.net ws: wss:; frame-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
# add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://fonts.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://fonts.gstatic.com; img-src 'self' data: blob: http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://*; font-src 'self' https://fonts.gstatic.com data:; connect-src 'self' http://crm.mcmed.ru https://crm.mcmed.ru http://crm.mcmed.ru https://crm.mcmed.ru https://www.google-analytics.com https://analytics.google.com https://cdn.jsdelivr.net ws: wss:; frame-src 'self' https://www.googletagmanager.com; object-src 'none'; base-uri 'self'; form-action 'self'; worker-src 'self' blob: https://cdnjs.cloudflare.com;" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
# Блокировка доступа к служебным файлам
location ~ /(\.env|\.git|\.svn|\.htaccess|\.htpasswd|config|backup|dump|phpinfo|wp-config) {
deny all;
access_log off;
log_not_found off;
}
# Блокировка доступа к robots.txt
location = /robots.txt {
deny all;
access_log off;
log_not_found off;
}
# Блокировка доступа к sitemap.xml
location = /sitemap.xml {
deny all;
access_log off;
log_not_found off;
}
# Защита от атак на API
location /api/ {
# Ограничение методов
limit_except GET POST PUT PATCH DELETE OPTIONS {
deny all;
}
# Rate limiting completely disabled - no limits on requests
# limit_req zone=api_limit burst=100 nodelay;
# Connection limiting completely disabled - no limits on connections
# limit_conn conn_limit 50;
# Large request body size allowed
#client_max_body_size 50M;
# Generous timeout for slow clients
#client_body_timeout 30s;
# Проксирование на бэкенд
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_pass http://crm;
}
# Основная конфигурация фронтенда
location / {
try_files $uri $uri/ /index.html;
# Кэширование статических файлов
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
expires 1y;
add_header Cache-Control "public, immutable";
access_log off;
}
}
# Блокировка доступа к favicon.ico
location = /favicon.ico {
return 404;
}
# Защита от атак на сервер
server_tokens off;
add_header X-Powered-By "CRM Security Server" always;
# Защита от client-side desync атак
proxy_request_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Логирование
access_log /var/log/nginx/crm.access.log;
error_log /var/log/nginx/crm.error.log;
# Ограничение размера тела запроса
client_max_body_size 2000M;
# Connection limiting completely disabled - no limits on connections
# limit_conn conn_limit 50;
}
# Сервер для Let's Encrypt ACME challenges
server {
listen 80;
listen [::]:80;
server_name crm.mcmed.ru;
root /var/www/certbot;
location ^~ /.well-known/acme-challenge/ {
# Используем root без изменений
try_files $uri =404;
# Отключаем логи для этих запросов
access_log off;
log_not_found off;
}
location / {
return 301 https://$host$request_uri;
}
}
Reference in New Issue View Git Blame Copy Permalink