Differences

This shows you the differences between two versions of the page.

--- nginx [2019/05/08 02:54] – [5. Rewrite the site's config file.] Update for safety misaka00251
+++ nginx [2019/10/01 14:49] – misaka00251
@@ Line 55: / Line 55: @@
 Here is an example secure conf.
-<code - example.com>
+<code - nginx.conf>
-add_header X-Frame-Options SAMEORIGIN;
+# This file default locate at /etc/nginx/nginx.conf in Linux.
-add_header X-Content-Type-Options nosniff;
+user www-data;
-add_header X-XSS-Protection "1; mode=block";
+pid /run/nginx.pid;
-add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
+worker_processes auto;
+worker_rlimit_nofile 65535;
+events {
+    multi_accept on;
+    worker_connections 65535;
+}
+http {
+    charset utf-8;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+    log_not_found off;
+    types_hash_max_size 2048;
+    client_max_body_size 16M;
+    # MIME
+    include mime.types;
+    default_type application/octet-stream;
+    # logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+    # SSL
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    # Mozilla Modern configuration
+    ssl_protocols TLSv1.3;
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 valid=60s;
+    resolver_timeout 2s;
+    # load configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+</code>
+<code - example.com>
 server {
     server_tokens off;
@@ Line 79: / Line 124: @@
     listen [::]:443 ssl http2;
     server_name example.com;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
+    # Or
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
-    ssl_session_cache shared:SSL:50m;
+    ssl_session_cache shared:SSL:10m;
-    ssl_session_timeout 1d;
+    ssl_session_timeout 10m;
     ssl_session_tickets off;
@@ Line 96: / Line 150: @@
     # ciphers chosen for forward secrecy and compatibility
     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
-    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
+    # Or this:
+    # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_ecdh_curve secp384r1;
     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-    resolver 1.1.1.1 1.0.0.1;
+    resolver 1.1.1.1 1.0.0.1 valid=60s;
+    resolver_timeout 5s;
     ssl_stapling on;
     ssl_stapling_verify on;
     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+    set $base /home/wwwroot/example.com;
+    root $base;
-    root /home/wwwroot/example.com;
     index index.php index.html;
@@ Line 119: / Line 176: @@
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_buffers 8 16k;
+        fastcgi_buffer_size 32k;
+        # fastcgi params
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
     }
@@ Line 124: / Line 187: @@
        deny all;
     }
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+    location = /robots.txt {
+        log_not_found off;
+        access_log off;
+    }
+    # assets, media
+    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+        expires 7d;
+        access_log off;
+    }
+    # svg, fonts
+    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+        add_header Access-Control-Allow-Origin "*";
+        expires 7d;
+        access_log off;
+    }
+    # gzip
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
     ssl_certificate /etc/nginx/ssl/example.com.crt;
@@ Line 144: / Line 237: @@
 openssl dhparam -dsaparam -out dhparam.pem 4096
 </code>
+Things that might help you out: [[https://cipherli.st|Cipherli.st]] & [[https://mozilla.github.io/server-side-tls/ssl-config-generator/|Mozilla SSL Configuration Generator]]
 ===== Cool stuff =====
+==== Colorful OpenDirectory ===
+<code>
+    # You need to install nginx-extras on Debian / Ubuntu.
+    location / {
+        autoindex on;
+        fancyindex on;
+        fancyindex_exact_size off;
+    }
+</code>
+==== Connectivity Detection ====
 <code>
@@ Line 168: / Line 277: @@
         return 200 'Microsoft NCSI';
     }
+</code>
+==== Reverse Proxy ====
+<code>
+    location / {
+        proxy_pass http://127.0.0.1:8080/;
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        client_max_body_size 0;
+    }
+</code>
+==== log ====
+<code>
+    log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
+    access_log /var/log/nginx/example_com_access.log;
+    error_log /var/log/nginx/example_com_error.log warn;
 </code>