Differences

This shows you the differences between two versions of the page.

--- nginx [2019/06/04 09:02] – Add misaka00251
+++ nginx [2020/01/18 11:47] (current) – external edit 127.0.0.1
@@ Line 54: / Line 54: @@
 Here is an example secure conf.
+<code - nginx.conf>
+# This file default locate at /etc/nginx/nginx.conf in Linux.
+user www-data;
+pid /run/nginx.pid;
+worker_processes auto;
+worker_rlimit_nofile 65535;
+events {
+    multi_accept on;
+    worker_connections 65535;
+}
+http {
+    charset utf-8;
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+    log_not_found off;
+    types_hash_max_size 2048;
+    client_max_body_size 16M;
+    # MIME
+    include mime.types;
+    default_type application/octet-stream;
+    # logging
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log warn;
+    # SSL
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    # Mozilla Modern configuration
+    ssl_protocols TLSv1.3;
+    # OCSP Stapling
+    ssl_stapling on;
+    ssl_stapling_verify on;
+    resolver 1.1.1.1 1.0.0.1 valid=60s;
+    resolver_timeout 2s;
+    # load configs
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
+}
+</code>
 <code - example.com>
@@ Line 75: / Line 125: @@
     server_name example.com;
-    add_header X-Frame-Options DENY;
+    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header X-Content-Type-Options nosniff;
+    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block";
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "no-referrer-when-downgrade" always;
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
+    # Or
+    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
     ssl_session_cache shared:SSL:10m;
@@ Line 103: / Line 157: @@
     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-    resolver 1.1.1.1 1.0.0.1 valid=300s;
+    resolver 1.1.1.1 1.0.0.1 valid=60s;
     resolver_timeout 5s;
     ssl_stapling on;
@@ Line 109: / Line 163: @@
     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+    set $base /home/wwwroot/example.com;
+    root $base;
-    root /home/wwwroot/example.com;
     index index.php index.html;
@@ Line 123: / Line 176: @@
         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
+        fastcgi_buffers 8 16k;
+        fastcgi_buffer_size 32k;
+        # fastcgi params
+        fastcgi_param DOCUMENT_ROOT $realpath_root;
+        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
+        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
     }
@@ Line 128: / Line 187: @@
        deny all;
     }
+    location = /favicon.ico {
+        log_not_found off;
+        access_log off;
+    }
+    location = /robots.txt {
+        log_not_found off;
+        access_log off;
+    }
+    # assets, media
+    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
+        expires 7d;
+        access_log off;
+    }
+    # svg, fonts
+    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
+        add_header Access-Control-Allow-Origin "*";
+        expires 7d;
+        access_log off;
+    }
+    # gzip
+    gzip on;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_comp_level 6;
+    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
     ssl_certificate /etc/nginx/ssl/example.com.crt;
@@ Line 156: / Line 245: @@
 <code>
+    # You need to install nginx-extras on Debian / Ubuntu.
     location / {
+        autoindex on;
         fancyindex on;
         fancyindex_exact_size off;