nhcarrigan/nginx-configs
9
0
Fork 0
generated from nhcarrigan/template
Code Issues 1 Pull Requests Actions Releases Activity

Compare commits

base: nhcarrigan/nginx-configs:49fd7812dd7e70478b16892bb089ef3f8e0bce50
Branches Tags
nhcarrigan/nginx-configs:main
..
compare: nhcarrigan/nginx-configs:fb6080ae87da694a55cc031a6349cf8bf791f40b
Branches Tags
nhcarrigan/nginx-configs:main

2 Commits
49fd7812dd .. fb6080ae87

Author SHA1 Message Date
hikari fb6080ae87 fix: resolve CORS header suppression on cdn.nhcarrigan.com
Test nginx configuration / Static Analysis (push) Failing after 5s
Details
Test nginx configuration / nginx Syntax Check (push) Failing after 16s
Details
Security Scan and Upload / Security & DefectDojo Upload (push) Successful in 1m38s
Details 
Restructures the location block to avoid the nginx "if is evil" pattern
where add_header directives inside an if block suppress those in the
parent location context. Also adds Access-Control-Max-Age and removes
POST from allowed methods since the CDN serves static assets only.
 2026-04-20 18:32:45 -07:00
naomi f6c4e2dac7 feat: grimoire and memes 2026-04-20 10:07:57 -07:00
3 changed files with 42 additions and 14 deletions
Expand all files Collapse all files
nginx/nginx/cloudflare_ips.conf
+1 -1
View File
@@ -1,5 +1,5 @@
# Auto-generated Cloudflare IP ranges # Auto-generated Cloudflare IP ranges
# Updated: Thu Apr 16 10:50:50 PM PDT 2026 # Updated: Sun Apr 19 10:51:11 PM PDT 2026
real_ip_header CF-Connecting-IP; real_ip_header CF-Connecting-IP;
nginx/nginx/sites-available/cdn.conf
+13 -12
View File
@@ -18,7 +18,18 @@ server {
return 301 $scheme://$host/avatars/$1; return 301 $scheme://$host/avatars/$1;
} }
# Handle CORS preflight requests without the "if is evil" pattern.
location / { location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Access-Control-Max-Age 86400 always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
proxy_pass https://nhcarrigan.hel1.your-objectstorage.com; proxy_pass https://nhcarrigan.hel1.your-objectstorage.com;
proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com; proxy_set_header Host nhcarrigan.hel1.your-objectstorage.com;
@@ -32,22 +43,12 @@ server {
proxy_set_header x-amz-date ""; proxy_set_header x-amz-date "";
proxy_set_header x-amz-security-token ""; proxy_set_header x-amz-security-token "";
add_header X-Debug-Cdn "Proxy-Active" always;
proxy_hide_header Access-Control-Allow-Origin; proxy_hide_header Access-Control-Allow-Origin;
add_header X-Debug-Cdn "Proxy-Active" always;
add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; add_header Access-Control-Allow-Methods "GET, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always; add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range" always;
add_header Content-Type "text/plain; charset=utf-8";
add_header Content-Length 0;
return 204;
}
} }
include /etc/nginx/snippets/deny-dotfiles.conf; include /etc/nginx/snippets/deny-dotfiles.conf;
} }
nginx/nginx/sites-available/content.conf
+28 -1
View File
@@ -1,5 +1,4 @@
# Static content and publishing sites: blog, books, donate, music, secrets, style, testimonials. # Static content and publishing sites: blog, books, donate, music, secrets, style, testimonials.
server { server {
listen 443 ssl; listen 443 ssl;
server_name blog.nhcarrigan.com; server_name blog.nhcarrigan.com;
@@ -46,6 +45,34 @@ server {
include /etc/nginx/snippets/deny-dotfiles.conf; include /etc/nginx/snippets/deny-dotfiles.conf;
} }
server {
listen 443 ssl;
server_name grimoire.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/grimoire.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/grimoire.nhcarrigan.com/privkey.pem;
root /home/naomi/grimoire;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server {
listen 443 ssl;
server_name memes.nhcarrigan.com;
ssl_certificate /etc/letsencrypt/live/memes.nhcarrigan.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/memes.nhcarrigan.com/privkey.pem;
root /home/naomi/memes;
location / {
index index.html;
}
include /etc/nginx/snippets/deny-dotfiles.conf;
}
server { server {
listen 443 ssl; listen 443 ssl;
server_name music.nhcarrigan.com; server_name music.nhcarrigan.com;