Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
nginx [2019/05/08 02:54] – [5. Rewrite the site's config file.] Update for safety misaka00251 | nginx [2020/01/18 11:47] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 55: | Line 55: | ||
Here is an example secure conf. | Here is an example secure conf. | ||
- | <code - example.com> | + | <code - nginx.conf> |
- | add_header X-Frame-Options SAMEORIGIN; | + | # This file default |
- | add_header X-Content-Type-Options nosniff; | + | user www-data; |
- | add_header X-XSS-Protection "1; mode=block"; | + | pid /run/nginx.pid; |
- | add_header Content-Security-Policy "default-src ' | + | worker_processes auto; |
+ | worker_rlimit_nofile 65535; | ||
+ | events { | ||
+ | multi_accept on; | ||
+ | worker_connections 65535; | ||
+ | } | ||
+ | |||
+ | http { | ||
+ | charset utf-8; | ||
+ | sendfile on; | ||
+ | tcp_nopush on; | ||
+ | tcp_nodelay on; | ||
+ | server_tokens off; | ||
+ | log_not_found off; | ||
+ | types_hash_max_size 2048; | ||
+ | client_max_body_size 16M; | ||
+ | |||
+ | # MIME | ||
+ | include mime.types; | ||
+ | default_type application/ | ||
+ | |||
+ | # logging | ||
+ | access_log / | ||
+ | error_log / | ||
+ | |||
+ | # SSL | ||
+ | ssl_session_timeout 1d; | ||
+ | ssl_session_cache shared: | ||
+ | ssl_session_tickets off; | ||
+ | |||
+ | # Mozilla Modern configuration | ||
+ | ssl_protocols TLSv1.3; | ||
+ | |||
+ | # OCSP Stapling | ||
+ | ssl_stapling on; | ||
+ | ssl_stapling_verify on; | ||
+ | resolver 1.1.1.1 1.0.0.1 valid=60s; | ||
+ | resolver_timeout 2s; | ||
+ | |||
+ | # load configs | ||
+ | include / | ||
+ | include / | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | <code - example.com> | ||
server { | server { | ||
server_tokens off; | server_tokens off; | ||
Line 79: | Line 124: | ||
listen [::]:443 ssl http2; | listen [::]:443 ssl http2; | ||
server_name example.com; | server_name example.com; | ||
+ | | ||
+ | add_header X-Frame-Options " | ||
+ | add_header X-Content-Type-Options " | ||
+ | add_header X-XSS-Protection "1; mode=block" | ||
+ | add_header Referrer-Policy " | ||
+ | add_header Content-Security-Policy " | ||
+ | # Or | ||
+ | add_header Content-Security-Policy " | ||
+ | add_header Strict-Transport-Security " | ||
- | ssl_session_cache shared:SSL:50m; | + | ssl_session_cache shared:SSL:10m; |
- | ssl_session_timeout | + | ssl_session_timeout |
ssl_session_tickets off; | ssl_session_tickets off; | ||
Line 96: | Line 150: | ||
# ciphers chosen for forward secrecy and compatibility | # ciphers chosen for forward secrecy and compatibility | ||
# http:// | # http:// | ||
- | ssl_ciphers | + | ssl_ciphers |
+ | # Or this: | ||
+ | # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA; | ||
+ | ssl_ecdh_curve secp384r1; | ||
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, | # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, | ||
# http:// | # http:// | ||
- | resolver 1.1.1.1 1.0.0.1; | + | resolver 1.1.1.1 1.0.0.1 |
+ | resolver_timeout 5s; | ||
ssl_stapling on; | ssl_stapling on; | ||
ssl_stapling_verify on; | ssl_stapling_verify on; | ||
ssl_trusted_certificate / | ssl_trusted_certificate / | ||
- | | + | |
- | + | root $base; | |
- | root / | + | |
index index.php index.html; | index index.php index.html; | ||
Line 119: | Line 176: | ||
include snippets/ | include snippets/ | ||
fastcgi_pass unix:/ | fastcgi_pass unix:/ | ||
+ | fastcgi_buffers 8 16k; | ||
+ | fastcgi_buffer_size 32k; | ||
+ | # fastcgi params | ||
+ | fastcgi_param DOCUMENT_ROOT $realpath_root; | ||
+ | fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name; | ||
+ | fastcgi_param PHP_ADMIN_VALUE " | ||
} | } | ||
Line 124: | Line 187: | ||
deny all; | deny all; | ||
} | } | ||
+ | | ||
+ | location = / | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | | ||
+ | location = /robots.txt { | ||
+ | log_not_found off; | ||
+ | access_log off; | ||
+ | } | ||
+ | | ||
+ | # assets, media | ||
+ | location ~* \.(?: | ||
+ | expires 7d; | ||
+ | access_log off; | ||
+ | } | ||
+ | |||
+ | # svg, fonts | ||
+ | location ~* \.(?: | ||
+ | add_header Access-Control-Allow-Origin " | ||
+ | expires 7d; | ||
+ | access_log off; | ||
+ | } | ||
+ | | ||
+ | # gzip | ||
+ | gzip on; | ||
+ | gzip_vary on; | ||
+ | gzip_proxied any; | ||
+ | gzip_comp_level 6; | ||
+ | gzip_types text/plain text/css text/xml application/ | ||
ssl_certificate / | ssl_certificate / | ||
Line 144: | Line 237: | ||
openssl dhparam -dsaparam -out dhparam.pem 4096 | openssl dhparam -dsaparam -out dhparam.pem 4096 | ||
</ | </ | ||
+ | |||
+ | Things that might help you out: [[https:// | ||
+ | |||
===== Cool stuff ===== | ===== Cool stuff ===== | ||
+ | |||
+ | ==== Colorful OpenDirectory === | ||
+ | |||
+ | < | ||
+ | # You need to install nginx-extras on Debian / Ubuntu. | ||
+ | location / { | ||
+ | autoindex on; | ||
+ | fancyindex on; | ||
+ | fancyindex_exact_size off; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== Connectivity Detection ==== | ||
< | < | ||
Line 168: | Line 277: | ||
return 200 ' | return 200 ' | ||
} | } | ||
+ | </ | ||
+ | |||
+ | ==== Reverse Proxy ==== | ||
+ | |||
+ | < | ||
+ | location / { | ||
+ | proxy_pass http:// | ||
+ | proxy_set_header Host $http_host; | ||
+ | proxy_set_header X-Real-IP $remote_addr; | ||
+ | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
+ | proxy_set_header X-Forwarded-Proto $scheme; | ||
+ | client_max_body_size 0; | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | ==== log ==== | ||
+ | |||
+ | < | ||
+ | log_format main ' | ||
+ | access_log / | ||
+ | error_log / | ||
</ | </ | ||