protection de l'application contre les attaques numériques

2026-01-16 20:10:17 +01:00
parent 520166a1e9
commit de157e9d0e
11 changed files with 1350 additions and 44 deletions
--- a/nginx-ssl.conf
+++ b/nginx-ssl.conf
@@ -0,0 +1,151 @@
+# Configuration Nginx avec SSL/TLS pour production
+# À utiliser avec Let's Encrypt ou certificats auto-signés
+
+# Redirection HTTP -> HTTPS
+server {
+    listen 80;
+    listen [::]:80;
+    server_name votre-domaine.com www.votre-domaine.com;
+    
+    # Redirection permanente vers HTTPS
+    return 301 https://$server_name$request_uri;
+}
+
+# Configuration HTTPS principale
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name votre-domaine.com www.votre-domaine.com;
+
+    # Certificats SSL - À remplacer par vos certificats Let's Encrypt
+    ssl_certificate /etc/letsencrypt/live/votre-domaine.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/votre-domaine.com/privkey.pem;
+    
+    # Configuration SSL/TLS moderne et sécurisée
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
+    ssl_prefer_server_ciphers off;
+    
+    # OCSP Stapling - Améliore la performance SSL
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    ssl_trusted_certificate /etc/letsencrypt/live/votre-domaine.com/chain.pem;
+    
+    # Session SSL
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_tickets off;
+    
+    # Paramètres Diffie-Hellman pour Perfect Forward Secrecy
+    ssl_dhparam /etc/nginx/dhparam.pem;  # Générer avec: openssl dhparam -out /etc/nginx/dhparam.pem 4096
+
+    # Headers de sécurité
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'; frame-ancestors 'none';" always;
+    add_header Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=()" always;
+
+    # Logs
+    access_log /var/log/nginx/innotexboard-access.log;
+    error_log /var/log/nginx/innotexboard-error.log;
+
+    # Limite de taille des uploads
+    client_max_body_size 100M;
+
+    # Protection contre les slow attacks
+    client_body_timeout 10s;
+    client_header_timeout 10s;
+    keepalive_timeout 65s;
+    send_timeout 10s;
+
+    # Frontend - Application Vue.js
+    location / {
+        proxy_pass http://frontend:3000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        
+        # Headers de sécurité pour proxy
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header X-Forwarded-Port $server_port;
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # Backend API
+    location /api/ {
+        proxy_pass http://backend:8000/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_cache_bypass $http_upgrade;
+        
+        # Headers de sécurité
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Timeouts plus longs pour API
+        proxy_connect_timeout 120s;
+        proxy_send_timeout 120s;
+        proxy_read_timeout 120s;
+        
+        # Buffering
+        proxy_buffering on;
+        proxy_buffer_size 4k;
+        proxy_buffers 8 4k;
+        
+        # Rate limiting - 100 requêtes/seconde par IP
+        limit_req zone=api_limit burst=20 nodelay;
+    }
+
+    # WebSocket pour temps réel
+    location /api/v1/ws {
+        proxy_pass http://backend:8000/api/v1/ws;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Timeouts longs pour WebSocket
+        proxy_connect_timeout 7d;
+        proxy_send_timeout 7d;
+        proxy_read_timeout 7d;
+    }
+
+    # Bloquer l'accès aux fichiers sensibles
+    location ~ /\. {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+
+    # Bloquer l'accès aux fichiers de sauvegarde
+    location ~ ~$ {
+        deny all;
+        access_log off;
+        log_not_found off;
+    }
+}
+
+# Zone de rate limiting globale
+limit_req_zone $binary_remote_addr zone=api_limit:10m rate=100r/s;
+
+# Configuration du resolver DNS
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;