nginx.conf

worker_processes auto;

events { worker_connections 1024; }

http {

    ## Hide Nginx version ##
    server_tokens   off;
    ## Security headers for Nginx ## 
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Xss-Protection "1; mode=block" always;

    sendfile on;

    upstream cervantes {
        server cervantes-app:80;
    }
    
    client_max_body_size 100M;

    server {
        listen 80;
        listen [::]:80;


        location / {

            ## Only allow these request methods ##
            if ($request_method !~ ^(GET|HEAD|POST)$ ) {
                return 444;
            }

            if ($http_user_agent ~* LWP::Simple|BBBike|wget|curl) {
                    return 403;
            }

            if ($http_user_agent ~* msnbot|scrapbot) {
                    return 403;
            }

            if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
            {
                return 403;
            }

            if ($request_uri ~* "%5c") {
                    return 403;
            }


            proxy_pass         http://cervantes;
            proxy_redirect     off;
            proxy_http_version 1.1;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection keep-alive;
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-Host $server_name;  
            # mitigate HTTPoxy Vulnerability
            # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
            proxy_set_header    Proxy  "";


        }


    }
}