Securing Nginx in Docker

Hello,
The default.conf file is as follows:

server {
  listen 80;
  listen [::]:80;
  server_name Lottery;

 location / {
                try_files $uri @User;
        }

        location @User {
                proxy_pass http://User:3000;
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-XSS-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header Referrer-Policy "no-referrer-when-downgrade" always;
                add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
                #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
                # enable strict transport security only if you understand the implications
        }
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
}

In which part of the configuration file should I add the following settings?

        server_tokens off;
        proxy_hide_header X-Powered-By;
        proxy_hide_header X-AspNet-Version;
        proxy_hide_header X-AspNetMvc-Version;
        proxy_hide_header X-Runtime;
        proxy_hide_header X-Redirect-By;
        more_set_headers "Server : ";
        more_set_headers "X-XSS-Protection : 0";
        more_set_headers "X-Content-Type-Options : nosniff"
        more_set_headers "X-Download-Options : noopen";
        more_set_headers "X-Permitted-Cross-Domain-Policies : none"

        gzip              on;
        gzip_min_length   1499;
        gzip_disable      "msie6";
        gzip_vary         on;
        gzip_static       on;
        gzip_proxied      any;
        gzip_comp_level   4;
        gzip_buffers      16 8k;
        gzip_http_version 1.1;
        gzip_types
           application/atom+xml
           application/javascript
           application/json
           application/ld+json
           application/manifest+json
           application/rss+xml
           application/vnd.geo+json
           application/vnd.ms-fontobject
           application/wasm application/x-font-ttf
           application/x-web-app-manifest+json
           application/xhtml+xml application/xml
           image/bmp
           image/svg+xml
           image/x-icon
           font/opentype
           text/cache-manifest
           text/css
           text/javascript
           text/plain
           text/vcard
           text/vnd.rim.location.xloc
           text/vtt
           text/x-component
           text/x-cross-domain-policy
           text/xml
           application/xml+rss;

        limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
        limit_conn      limit_per_ip 130;
        limit_req_zone $binary_remote_addr zone=allips:10m rate=500r/s;
        limit_req      zone=allips burst=400 nodelay;
        limit_req_status  429;
        limit_conn_status 429;

        open_file_cache          max=5000 inactive=240s;
        open_file_cache_valid    60s;
        open_file_cache_min_uses 5;
        open_file_cache_errors   off;

        client_max_body_size        20M;
        client_header_buffer_size   5k;
        large_client_header_buffers 2 2k;
        client_body_buffer_size     32k;

        client_body_timeout   10;
        client_header_timeout 10;
        keepalive_timeout     10;
        send_timeout          10;

        sendfile    on;
        tcp_nopush  on;
        tcp_nodelay on;

Thank you.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.