events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; sendfile on; server_tokens off; upstream backend_a { server backend-a:80; } upstream backend_b { server backend-b:80; } server { listen 80; server_name _; location = /healthz { default_type text/plain; return 200 "ok\n"; } location / { return 301 https://$host:8443$request_uri; } } server { listen 443 ssl; server_name localhost; ssl_certificate /etc/nginx/certs/localhost.crt; ssl_certificate_key /etc/nginx/certs/localhost.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; # max-age im Lab bewusst kurz (1h). In Produktion eher 1 Jahr (31536000). # includeSubDomains weitet HSTS auf alle Subdomains aus (Produktions-Best-Practice). # Achtung: HSTS bleibt im Browser host-weit haengen -> siehe Warnhinweis in Challenge 12. add_header Strict-Transport-Security "max-age=3600; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always; add_header Cross-Origin-Opener-Policy "same-origin" always; add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; base-uri 'none'; frame-ancestors 'none'" always; location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; } location /service/a { proxy_pass http://backend_a/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /service/b { proxy_pass http://backend_b/; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }