pdf-quiz-generator/frontend/nginx.conf
Daniel 2db5cb74d7 Fix SCORM content blocked by CSP and X-Frame-Options
- Add 'self' to frame-src in CSP to allow same-origin iframes
- Add 'unsafe-eval' to script-src (SCORM packages often use eval)
- Add /uploads/scorm/ location that strips frame-blocking headers
- SCORM content served without X-Frame-Options or CSP restrictions

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-11 02:08:51 +02:00

63 lines
2.3 KiB
Nginx Configuration File

server {
listen 80;
server_name _;
root /usr/share/nginx/html;
index index.html;
# Gzip compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;
gzip_min_length 1024;
gzip_proxied any;
gzip_comp_level 6;
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://challenges.cloudflare.com; media-src 'self' blob:; connect-src 'self' https://challenges.cloudflare.com; font-src 'self' https://fonts.gstatic.com; frame-src 'self' https://challenges.cloudflare.com;" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
# API proxy to backend
location /api/ {
resolver 127.0.0.11 valid=10s;
set $backend http://backend:8000;
proxy_pass $backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Large file uploads
client_max_body_size 500M;
proxy_request_buffering off;
proxy_read_timeout 600s;
}
# SCORM content — no frame-blocking headers, allow scripts
location /uploads/scorm/ {
resolver 127.0.0.11 valid=10s;
set $backend http://backend:8000;
proxy_pass $backend;
proxy_set_header Host $host;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header Cache-Control "public, max-age=86400";
}
# Uploaded images proxy to backend
location /uploads/ {
resolver 127.0.0.11 valid=10s;
set $backend http://backend:8000;
proxy_pass $backend;
proxy_set_header Host $host;
expires 7d;
add_header Cache-Control "public, immutable";
}
# SPA fallback
location / {
try_files $uri $uri/ /index.html;
}
}