-
Notifications
You must be signed in to change notification settings - Fork 121
Expand file tree
/
Copy pathnginx.conf
More file actions
181 lines (156 loc) · 13.7 KB
/
Copy pathnginx.conf
File metadata and controls
181 lines (156 loc) · 13.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
worker_processes 2;
events {
worker_connections 1024;
}
pid /tmp/nginx.pid;
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# Allow request headers up to 32k (matches the Cloud Run/GFE ceiling).
# Marketing trackers set large cookies on .chainguard.dev that are sent to
# every subdomain; nginx's default 8k buffer rejects those requests with
# "400 Request Header Or Cookie Too Large".
large_client_header_buffers 4 32k;
gzip on;
gzip_disable "msie6"; # Disable comnpression on really old Internet Explorer
gzip_comp_level 6; # Moderate compression level
gzip_min_length 256; # Don't zip really small files
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
text/plain
text/css
text/js
text/xml
text/javascript
application/javascript
application/json
application/xml
application/rss+xml
image/svg+xml;
# add URLs after the `default` line that are moved and aren't redirecting via Hugo aliases
map $request_uri $redirect_url {
default "";
# Add Hugo aliases as 301 redirects
include aliases;
# individual URL redirects here
"~^/chainguard/chainguard-enforce/chainctl-docs/how-to-install-chainctl(.+)?$" /chainguard/chainguard-enforce/how-to-install-chainctl$1;
"~^/chainguard/chainguard-enforce/chainctl-docs(.+)?$" /chainguard/chainctl$1;
"~^/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-events(.+)?$" /chainguard/administration/cloudevents/events-reference$1;
"~^/chainguard/chainguard-enforce/chainguard-enforce-events(.+)?$" /chainguard/administration/cloudevents/events-reference$1;
"~^/open-source/apko/apk-package-manager(.+)?$" /open-source/wolfi/apk-package-manager$1;
# chainctl reference docs moved from /chainguard/chainctl/ to /platform/chainctl/.
# The "(/.*)?" bound matches the chainctl subtree only, so this does NOT also
# swallow /chainguard/chainctl-usage/... (which has its own aliases above).
"~^/chainguard/chainctl(/.*)?$" /platform/chainctl$1;
# The chainctl-docs/ subdir has no index page, so send its bare listing URL
# (at the new path) to the chainctl landing page.
"~^/platform/chainctl/chainctl-docs/?(index\.html|index\.xml)?$" /platform/chainctl/;
"~^/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-policy-examples(.+)?$" /open-source/sigstore/policy-controller/policies$1;
"~^/open-source/melange/getting-started-with-melange(.+)?$" /open-source/build-tools/melange/getting-started-with-melange/;
"~^/open-source/melange/tutorials/getting-started-with-melange/(.+)?$" /open-source/build-tools/melange/getting-started-with-melange/;
"~^/chainguard/chainguard-enforce/sboms/sboms-and-attestations/(.+)?$" /open-source/sbom/sboms-and-attestations/;
"~^/chainguard/chainguard-images/images-compared/(.+)?$" /chainguard/chainguard-images/vuln-comparison/;
"~^/software-security/secure-software-development/considerations-for-image-updates/(.+)?$" /chainguard/chainguard-images/recommended-practices/considerations-for-image-updates/;
"~^/chainguard/chainguard-images/considerations-for-image-updates/(.+)?$" /chainguard/chainguard-images/recommended-practices/considerations-for-image-updates/;
"~^/chainguard/chainguard-enforce/authentication/custom-idps/(.+)?$" /chainguard/administration/custom-idps/custom-idps/;
"~^/chainguard/chainguard-enforce/reference/events/(.+)?$" /chainguard/administration/cloudevents/events-reference/;
"~^/chainguard/administration/cloudevents/create-github-issues/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/administration/cloudevents/create-jira-issues/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/administration/cloudevents/create-slack-alerts/(.+)?$" /chainguard/administration/cloudevents/;
"~^/chainguard/chainguard-images/getting-started/istio(.+)?$" https://images.chainguard.dev/directory/image/istio-pilot/overview/;
"~^/chainguard/network-requirements/(.+)?$" /chainguard/administration/network-requirements/;
# complete content directory redirects here
"~^/chainguard/chainguard-enforce/events/(.+)$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-enforce/cloudevents/(.+)$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-images/registry/(.+)?$" /chainguard/chainguard-registry/;
"~^/chainguard/chainguard-enforce/iam-groups/(.+)?$" /chainguard/administration/iam-groups/$1;
"~^/chainguard/chainguard-enforce/cloudevents/(.+)?$" /chainguard/administration/cloudevents/$1;
"~^/chainguard/chainguard-enforce/iam-groups/identity-examples/(.+)?$" /chainguard/chainguard-enforce/authentication/$1;
"~^/chainguard/chainguard-enforce/authentication/identity-examples/(.+)?$" /chainguard/administration/iam-groups/identity-examples/;
"~^/chainguard/chainguard-images/vulnerability-comparisons/(.+)?$" /chainguard/chainguard-images/comparing-images/vulnerability-comparisons;
"~^/chainguard/administration/iam-groups/(.+)?$" /chainguard/administration/iam-organizations/$1;
# enforce docs turndown
"~^/chainguard/chainguard-enforce/(.+)?$" /;
# getting-started docs redirects
"~^/chainguard/chainguard-images/reference/go/getting-started-go/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-go/;
"~^/chainguard/chainguard-images/reference/mariadb/getting-started-mariadb/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-mariadb/;
"~^/chainguard/chainguard-images/reference/node/getting-started-node/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-node/;
"~^/chainguard/chainguard-images/reference/php/getting-started-php/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-php/;
"~^/chainguard/chainguard-images/reference/postgres/getting-started-postgres/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-postgres/;
"~^/chainguard/chainguard-images/reference/python/getting-started-python/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-python/;
"~^/chainguard/chainguard-images/reference/ruby/getting-started-ruby/(.+)?$" /chainguard/chainguard-images/getting-started/getting-started-ruby/;
# reference docs redirects - images
"~^/chainguard/chainguard-images/reference/(.+)/image_specs/?$" https://images.chainguard.dev/directory/image/$1/specifications;
"~^/chainguard/chainguard-images/reference/(.+)/tags_history/?$" https://images.chainguard.dev/directory/image/$1/versions;
"~^/chainguard/chainguard-images/reference/(.+)/provenance_info/?$" https://images.chainguard.dev/directory/image/$1/provenance;
"~^/chainguard/chainguard-images/reference/(.+)/overview/?$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/(.+)/$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/(.+)$" https://images.chainguard.dev/directory/image/$1/overview;
"~^/chainguard/chainguard-images/reference/?$" https://images.chainguard.dev/directory;
# OpenAPI spec redirect
"/chainguard/api/openapi.json" /api.json;
# apko reference redirect
"~^/open-source/build-tools/apko/reference/?$" https://github.com/chainguard-dev/apko/blob/main/docs/apko_file.md;
# melange reference redirect
"~^/open-source/build-tools/melange/reference/?$" https://github.com/chainguard-dev/melange/blob/main/docs/md/melange.md;
"~^/open-source/build-tools/melange/melange-pipelines/?$" https://github.com/chainguard-dev/melange/blob/main/docs/PIPELINES.md;
}
server {
listen 8080;
server_name localhost;
root /usr/share/nginx/html/;
# process $request_uri -> $redirect_url if url is absolute
if ($redirect_url ~ ^https://) {
rewrite ^(.*)$ $redirect_url permanent;
}
# process $request_uri -> $redirect_url, preserving https, and ensure URLs don't have any ports in them
if ($redirect_url != "") {
rewrite ^(.*)$ https://$http_host$redirect_url permanent;
}
# Redirect URLs without trailing slash to URLs with trailing slash
# This ensures images in Hugo content directories display correctly
location ~ ^([^.]*[^/])$ {
if (-d $request_filename) {
return 301 $scheme://$host$uri/;
}
}
# Serve .md versions of pages for LLM access
location ~ ^(.+)\.md$ {
default_type "text/markdown";
try_files $uri $1/index.md =404;
}
location / {
index index.html index.htm;
try_files $uri $uri/index.html =404;
}
# serve the vuln-comparison page for /vulnerabilities page without a vuln id
# captures /vulnerabilities /vulnerabilities/ and /vulnerabilities/index.html
location ~ ^/vulnerabilities(\/|\/index.html)?$ {
rewrite ^ /chainguard/chainguard-images/vuln-comparison/index.html;
}
# all vulnerabilities with an ID get rendered by this page using javascript
location ~ ^/vulnerabilities/ {
rewrite ^ /vulnerabilities/index.html break;
}
location ~* /(index.html)?$ {
add_header Cache-Control "public, max-age=300, stale-while-revalidate=300";
}
# Security headers including CSP for Google Tag Manager
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "0" always;
add_header Content-Security-Policy "default-src 'self'; frame-src 'self' edu.chainguard.dev https://www.googletagmanager.com https://player.vimeo.com https://www.youtube.com https://www.youtube-nocookie.com https://platform.twitter.com https://syndication.twitter.com https://visualization-ui.chainguard.app https://www.googletagmanager.com https://app.qualified.com www.google.com https://hcaptcha.com https://*.hcaptcha.com; style-src 'self' 'unsafe-inline' edu.chainguard.dev https://tagmanager.google.com https://www.googletagmanager.com https://googletagmanager.com cdn.jsdelivr.net https://fonts.googleapis.com https://unpkg.com https://use.fontawesome.com https://hcaptcha.com https://*.hcaptcha.com; form-action 'self'; font-src 'self' edu.chainguard.dev https://fonts.googleapis.com https://fonts.gstatic.com https://cdn.jsdelivr.net https://use.fontawesome.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' edu.chainguard.dev https://www.googletagmanager.com https://tagmanager.google.com https://googletagmanager.com *.googleapis.com cdn.jsdelivr.net *.googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://snap.licdn.com https://unpkg.com https://csp.withgoogle.com https://play.google.com https://www.google.com https://www.redditstatic.com http://js.hs-scripts.com https://tag.clearbitscripts.com https://j.6sc.co https://tracking.g2crowd.com https://tag.unifyintent.com https://static.reo.dev https://googleads.g.doubleclick.net https://js.qualified.com https://js.hscollectedforms.net https://js.hubspot.com https://js.hsadspixel.net https://js.hs-banner.com https://js.hs-analytics.net https://x.clearbitjs.com https://js.zi-scripts.com https://cdn.amplitude.com widget.kapa.ai www.google.com https://hcaptcha.com https://*.hcaptcha.com https://*.algolia.net https://*.algolianet.com; connect-src 'self' https://www.googletagmanager.com https://tagmanager.google.com https://googletagmanager.com *.google-analytics.com *.googletagmanager.com https://analytics.google.com https://region1.google-analytics.com https://www.google-analytics.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://storage.googleapis.com https://packages.wolfi.dev https://script.google.com https://script.googleusercontent.com https://csp.withgoogle.com https://play.google.com *.googleapis.com https://www.google.com https://stats.g.doubleclick.net https://api.unifyintent.com https://api.reo.dev https://pixel-config.reddit.com https://www.redditstatic.com https://conversions-config.reddit.com https://ipv6.6sc.co https://static.hsappstatic.net https://app.qualified.com wss://ws6.qualified.com https://api.hubapi.com https://app.clearbit.com https://forms.hscollectedforms.net https://cta-service-cms2.hubspot.com https://js.zi-scripts.com https://ws.zoominfo.com https://x.clearbitjs.com https://js.hs-banner.com https://api2.amplitude.com https://api.amplitude.com proxy.kapa.ai kapa-widget-proxy-la7dkmplpq-uc.a.run.app metrics.kapa.ai https://hcaptcha.com https://*.hcaptcha.com https://*.algolia.net https://*.algolianet.com https://*.algolia.io; img-src 'self' 'unsafe-inline' https://ssl.gstatic.com edu.chainguard.dev https://storage.googleapis.com https://www.googletagmanager.com https://googletagmanager.com https://www.google-analytics.com https://analytics.google.com https://px.ads.linkedin.com https://px4.ads.linkedin.com https://www.google.com data: https://alb.reddit.com http://b.6sc.co https://forms.hsforms.com https://perf-na1.hsforms.com https://track.hubspot.com https://raw.githubusercontent.com; worker-src 'self' blob:; base-uri 'self';" always;
# use hugo's built in 404 page for now
error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
error_log stderr notice;