🔧 Story 1.4: nginx config

2026-02-04 16:28:31 +01:00
parent 0c31fc0103
commit 866304431f
2 changed files with 61 additions and 0 deletions
--- a/docs/stories/1.4.page-canary-deploiement.md
+++ b/docs/stories/1.4.page-canary-deploiement.md
@@ -291,6 +291,7 @@ sudo systemctl reload nginx      # Recharger nginx

 | Date | Version | Description | Author |
 |------|---------|-------------|--------|
+| 2026-02-04 | 0.1 | Ajout nginx.conf.example | Amelia |
 | 2026-02-04 | 0.1 | Implementation task 2 (pré-déploiement) | Amelia |
 | 2026-02-04 | 0.1 | Implementation task 1 (canary page) | Amelia |
 | 2026-01-22 | 0.1 | Création initiale de la story | Sarah (PO) |
@@ -306,6 +307,7 @@ GPT-5 Codex
 - composer install --no-dev: blocked by network, executed by user
 - tests/canary.test.ps1: canary page checks
 - tests/structure.test.ps1: allow non-Hello World content
+- nginx.conf.example created for codex.skycel.me + php8.1-fpm

 ### Completion Notes List

@@ -332,6 +334,7 @@ GPT-5 Codex
 | `tests/structure.test.ps1` | Modifié |
 | `composer.json` | Modifié |
 | `composer.lock` | Créé |
+| `nginx.conf.example` | Créé |

 ## QA Results

--- a/nginx.conf.example
+++ b/nginx.conf.example
@@ -0,0 +1,58 @@
+server {
+    listen 80;
+    server_name codex.skycel.me www.codex.skycel.me;
+    return 301 https://$server_name$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name codex.skycel.me www.codex.skycel.me;
+
+    # SSL
+    ssl_certificate /etc/letsencrypt/live/codex.skycel.me/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/codex.skycel.me/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+
+    root /var/www/codex.skycel.me;
+    index index.php;
+    charset utf-8;
+
+    # Security headers
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # Block sensitive files
+    location ~ /\.(env|git|htaccess) { deny all; return 404; }
+    location ^~ /vendor/ { deny all; return 404; }
+    location ^~ /node_modules/ { deny all; return 404; }
+    location ^~ /logs/ { deny all; return 404; }
+    location ^~ /data/ { deny all; return 404; }
+    location ^~ /includes/ { deny all; return 404; }
+
+    # Static assets
+    location /assets/ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+        gzip_static on;
+    }
+
+    # Front controller
+    location / {
+        try_files $uri $uri/ /index.php?$query_string;
+    }
+
+    # PHP-FPM
+    location ~ \.php$ {
+        fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        include fastcgi_params;
+    }
+
+    # Compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/javascript application/javascript application/json image/svg+xml;
+}