forked from chainguard-dev/edu
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathnginx.conf
More file actions
160 lines (138 loc) · 12.7 KB
/
nginx.conf
File metadata and controls
160 lines (138 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
worker_processes 2;
events {
worker_connections 1024;
}
pid /tmp/nginx.pid;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_disable "msie6"; # Disable comnpression on really old Internet Explorer
gzip_comp_level 6; # Moderate compression level
gzip_min_length 256; # Don't zip really small files
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# add URLs after the `default` line that are moved and aren't redirecting via Hugo aliases
map $request_uri $redirect_url {
default "";
# Add Hugo aliases as 301 redirects
include aliases;
# individual URL redirects here
"~^/chainguard/chainguard-enforce/chainctl-docs/how-to-install-chainctl(.+)?$" /chainguard/chainguard-enforce/how-to-install-chainctl$1;
"~^/chainguard/chainguard-enforce/chainctl-docs(.+)?$" /chainguard/chainctl$1;
"~^/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-events(.+)?$" /chainguard/administration/cloudevents/events-reference$1;
"~^/chainguard/chainguard-enforce/chainguard-enforce-events(.+)?$" /chainguard/administration/cloudevents/events-reference$1;
"~^/open-source/apko/apk-package-manager(.+)?$" /open-source/wolfi/apk-package-manager$1;
"~^/chainguard/chainctl/chainctl-docs/(index.html|index.xml)?$" /chainguard/chainctl/;
"~^/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-policy-examples(.+)?$" /open-source/sigstore/policy-controller/policies$1;
"~^/open-source/melange/getting-started-with-melange(.+)?$" /open-source/build-tools/melange/getting-started-with-melange/;
"~^/open-source/melange/tutorials/getting-started-with-melange/(.+)?$" /open-source/build-tools/melange/getting-started-with-melange/;
"~^/chainguard/chainguard-enforce/sboms/sboms-and-attestations/(.+)?$" /open-source/sbom/sboms-and-attestations/;
"~^/chainguard/chainguard-images/images-compared/(.+)?$" /chainguard/chainguard-images/vuln-comparison/;
"~^/software-security/secure-software-development/considerations-for-image-updates/(.+)?$" /chainguard/chainguard-images/recommended-practices/considerations-for-image-updates/;
"~^/chainguard/chainguard-images/considerations-for-image-updates/(.+)?$" /chainguard/chainguard-images/recommended-practices/considerations-for-image-updates/;
"~^/chainguard/chainguard-enforce/authentication/custom-idps/(.+)?$" /chainguard/administration/custom-idps/custom-idps/;
"~^/chainguard/chainguard-enforce/reference/events/(.+)?$" /chainguard/administration/cloudevents/events-reference/;
"~^/chainguard/administration/cloudevents/create-github-issues/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/administration/cloudevents/create-jira-issues/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/administration/cloudevents/create-slack-alerts/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/chainguard-images/getting-started/istio(.+)?$" https://images.chainguard.dev/directory/image/istio-pilot/overview/;
"~^/chainguard/network-requirements/(.+)?$" /chainguard/administration/network-requirements/;
# complete content directory redirects here
"~^/chainguard/chainguard-enforce/events/(.+)$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-enforce/cloudevents/(.+)$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-images/registry/(.+)?$" /chainguard/chainguard-registry/;
"~^/chainguard/chainguard-enforce/iam-groups/(.+)?$" /chainguard/administration/iam-groups/$1;
"~^/chainguard/chainguard-enforce/cloudevents/(.+)?$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-enforce/iam-groups/identity-examples/(.+)?$" /chainguard/chainguard-enforce/authentication/$1;
"~^/chainguard/chainguard-enforce/authentication/identity-examples/(.+)?$" /chainguard/administration/iam-groups/identity-examples/;
"~^/chainguard/chainguard-images/vulnerability-comparisons/(.+)?$" /chainguard/chainguard-images/comparing-images/vulnerability-comparisons;
"~^/chainguard/administration/iam-groups/(.+)?$" /chainguard/administration/iam-organizations/$1;
# enforce docs turndown
"~^/chainguard/chainguard-enforce/(.+)?$" /;
# getting-started docs redirects
"~^/chainguard/chainguard-images/reference/go/getting-started-go/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-go/;
"~^/chainguard/chainguard-images/reference/mariadb/getting-started-mariadb/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-mariadb/;
"~^/chainguard/chainguard-images/reference/node/getting-started-node/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-node/;
"~^/chainguard/chainguard-images/reference/php/getting-started-php/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-php/;
"~^/chainguard/chainguard-images/reference/postgres/getting-started-postgres/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-postgres/;
"~^/chainguard/chainguard-images/reference/python/getting-started-python/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-python/;
"~^/chainguard/chainguard-images/reference/ruby/getting-started-ruby/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-ruby/;
# reference docs redirects - images
"~^/chainguard/chainguard-images/reference/(.+)/image_specs/?$" https://images.chainguard.dev/directory/image/$1/specifications;
"~^/chainguard/chainguard-images/reference/(.+)/tags_history/?$" https://images.chainguard.dev/directory/image/$1/versions;
"~^/chainguard/chainguard-images/reference/(.+)/provenance_info/?$" https://images.chainguard.dev/directory/image/$1/provenance;
"~^/chainguard/chainguard-images/reference/(.+)/overview/?$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/(.+)/$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/(.+)$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/?$" https://images.chainguard.dev/directory;
# apko reference redirect
"~^/open-source/build-tools/apko/reference/?$" https://github.com/chainguard-dev/apko/blob/main/docs/apko_file.md;
# melange reference redirect
"~^/open-source/build-tools/melange/reference/?$" https://github.com/chainguard-dev/melange/blob/main/docs/md/melange.md;
"~^/open-source/build-tools/melange/melange-pipelines/?$" https://github.com/chainguard-dev/melange/blob/main/docs/PIPELINES.md;
}
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html/;
# process $request_uri -> $redirect_url if url is absolute
if ($redirect_url ~ ^https://) {
rewrite ^(.*)$ $redirect_url permanent;
}
# process $request_uri -> $redirect_url, preserving https, and ensure URLs don't have any ports in them
if ($redirect_url != "") {
rewrite ^(.*)$ https://$http_host$redirect_url permanent;
}
# Redirect URLs without trailing slash to URLs with trailing slash
# This ensures images in Hugo content directories display correctly
location ~ ^([^.]*[^/])$ {
if (-d $request_filename) {
return 301 $scheme://$host$uri/;
}
}
location / {
index index.html index.htm;
try_files $uri $uri/index.html =404;
}
# serve the vuln-comparison page for /vulnerabilities page without a vuln id
# captures /vulnerabilities /vulnerabilities/ and /vulnerabilities/index.html
location ~ ^/vulnerabilities(\/|\/index.html)?$ {
rewrite ^ /chainguard/chainguard-images/vuln-comparison/index.html;
}
# all vulnerabilities with an ID get rendered by this page using javascript
location ~ ^/vulnerabilities/ {
rewrite ^ /vulnerabilities/index.html break;
}
location ~* /(index.html)?$ {
add_header Cache-Control "public, max-age=300, stale-while-revalidate=300";
}
# Security headers including CSP for Google Tag Manager
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "0" always;
add_header Content-Security-Policy "default-src 'self'; frame-src 'self' edu.chainguard.dev https://www.googletagmanager.com https://player.vimeo.com https://www.youtube.com https://www.youtube-nocookie.com https://platform.twitter.com https://syndication.twitter.com https://visualization-ui.chainguard.app https://terminal.inky.wtf https://www.googletagmanager.com https://app.qualified.com www.google.com https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' edu.chainguard.dev https://tagmanager.google.com https://www.googletagmanager.com https://googletagmanager.com cdn.jsdelivr.net https://fonts.googleapis.com https://unpkg.com https://use.fontawesome.com https://hcaptcha.com https://*.hcaptcha.com; form-action 'self'; font-src 'self' edu.chainguard.dev https://fonts.googleapis.com https://fonts.gstatic.com https://cdn.jsdelivr.net https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' edu.chainguard.dev https://www.googletagmanager.com https://tagmanager.google.com https://googletagmanager.com *.googleapis.com cdn.jsdelivr.net *.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://snap.licdn.com https://unpkg.com https://csp.withgoogle.com https://play.google.com https://www.google.com https://www.redditstatic.com http://js.hs-scripts.com https://tag.clearbitscripts.com https://j.6sc.co https://tracking.g2crowd.com https://tag.unifyintent.com https://static.reo.dev https://googleads.g.doubleclick.net https://js.qualified.com https://js.hscollectedforms.net https://js.hubspot.com https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://x.clearbitjs.com https://js.zi-scripts.com https://cdn.amplitude.com widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://*.algolia.net https://*.algolianet.com; connect-src 'self' https://www.googletagmanager.com https://tagmanager.google.com https://googletagmanager.com *.google-analytics.com *.googletagmanager.com https://analytics.google.com https://region1.google-analytics.com https://www.google-analytics.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://storage.googleapis.com https://packages.wolfi.dev https://script.google.com https://script.googleusercontent.com https://csp.withgoogle.com https://play.google.com *.googleapis.com https://www.google.com https://stats.g.doubleclick.net https://api.unifyintent.com https://api.reo.dev https://pixel-config.reddit.com https://www.redditstatic.com https://conversions-config.reddit.com https://ipv6.6sc.co https://static.hsappstatic.net https://app.qualified.com wss://ws6.qualified.com https://api.hubapi.com https://app.clearbit.com https://forms.hscollectedforms.net https://cta-service-cms2.hubspot.com https://js.zi-scripts.com https://ws.zoominfo.com https://x.clearbitjs.com https://js.hs-banner.com https://api2.amplitude.com https://api.amplitude.com proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com https://*.algolia.net https://*.algolianet.com https://*.algolia.io; img-src 'self' 'unsafe-inline' https://ssl.gstatic.com edu.chainguard.dev https://storage.googleapis.com https://www.googletagmanager.com https://googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://www.google.com data: https://alb.reddit.com http://b.6sc.co https://forms.hsforms.com https://perf-na1.hsforms.com https://track.hubspot.com https://raw.githubusercontent.com; worker-src 'self' blob:; base-uri 'self';" always;
# use hugo's built in 404 page for now
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
error_log stderr notice;