nginx site config updates

site-config.conf

@@ -32,8 +32,12 @@ server {
     # Apply general rate limit
     limit_req zone=general burst=100 nodelay;
 
-    # Content Security Policy (needs to be per-domain)
-    add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always;
+    # Content Security Policy and other security headers
+    set $content_security_policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN";
+    add_header Content-Security-Policy $content_security_policy always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
 
     # Subdomain handling
     set $subdomain '';
@@ -83,10 +87,16 @@ server {
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     }
 
-    # Static file handling
+    # Static file handling (matches any file extension except .php)
     location ~* ^.+\.((?!php).)*$ {
+        # Caching and security headers
         expires 30d;
         add_header Cache-Control "public, no-transform";
+        add_header Content-Security-Policy $content_security_policy always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        # Try to serve the file directly
         try_files $uri $uri/ =404;
     }
 

update-site.sh

@@ -0,0 +1,59 @@
+#!/bin/bash
+
+# Script to update Nginx configuration for an existing site
+if [ "$EUID" -ne 0 ]; then 
+    echo "Please run as root or with sudo"
+    exit 1
+fi
+
+# Set up logging
+LOG_FILE="/var/log/site_setup.log"
+exec > >(tee -a "$LOG_FILE") 2>&1
+echo "Configuration update started at $(date)"
+echo "Logging to $LOG_FILE"
+
+# Prompt for domain input
+read -p "Enter the domain name (e.g., example.com): " domain
+if [[ ! "$domain" =~ ^[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$ ]]; then
+    echo "Invalid domain name format"
+    exit 1
+fi
+
+# Verify domain exists in Nginx config
+if [ ! -f "/etc/nginx/sites-available/$domain" ]; then
+    echo "Error: Domain configuration not found in /etc/nginx/sites-available/$domain"
+    exit 1
+fi
+
+# Verify SSL certificates exist
+if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
+    echo "Error: SSL certificates not found for $domain"
+    exit 1
+fi
+
+# Backup existing configuration
+backup_file="/etc/nginx/sites-available/${domain}.backup-$(date +%Y%m%d-%H%M%S)"
+cp "/etc/nginx/sites-available/$domain" "$backup_file"
+echo "Backed up existing configuration to $backup_file"
+
+# Copy new Nginx configuration from adjacent file
+nginx_config="/etc/nginx/sites-available/$domain"
+cp "$(realpath "site-config.conf")" "$nginx_config"
+
+# Replace $DOMAIN placeholder in the nginx config file
+sed -i "s/\$DOMAIN/$domain/g" "$nginx_config"
+
+# Test Nginx configuration
+echo "Testing new configuration..."
+nginx -t
+if [ $? -ne 0 ]; then
+    echo "Error: Invalid Nginx configuration. Restoring backup..."
+    cp "$backup_file" "$nginx_config"
+    exit 1
+fi
+
+# Reload nginx
+systemctl reload nginx
+
+echo "Configuration update complete for $domain"
+echo "Previous configuration backed up to: $backup_file"