# Sanitized nginx config for claude-class.eclair.site. # Published so visitors can verify the privacy claims themselves. server { server_name claude-class.eclair.site; root /var/www/html/builds/claude-class; index index.html; # ---- Privacy: no logging ---- access_log off; error_log /var/log/nginx/error.log crit; # ---- Hide server identity ---- server_tokens off; # ---- Security & privacy headers ---- add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;" always; add_header Referrer-Policy "no-referrer" always; add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "DENY" always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; location / { try_files $uri $uri/ =404; } location = /bitcoin.pdf { default_type application/pdf; } location = /nginx.conf.txt { default_type text/plain; } # TLS (managed by certbot) listen 443 ssl; ssl_certificate /etc/letsencrypt/live/claude-class.eclair.site/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/claude-class.eclair.site/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_session_tickets off; } server { if ($host = claude-class.eclair.site) { return 301 https://$host$request_uri; } listen 80; server_name claude-class.eclair.site; return 404; }