Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
nginx [2019/05/08 02:57] – [5. Rewrite the site's config file.] Update from https://cipherli.st/ misaka00251nginx [2020/01/18 11:47] (current) – external edit 127.0.0.1
Line 55: Line 55:
 Here is an example secure conf. Here is an example secure conf.
  
-<code - example.com+<code - nginx.conf
-add_header X-Frame-Options SAMEORIGIN; +# This file default locate at /etc/nginx/nginx.conf in Linux. 
-add_header X-Content-Type-Options nosniff; +user www-data; 
-add_header X-XSS-Protection "1; mode=block"; +pid /run/nginx.pid; 
-add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.comstyle-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.comfont-src 'self' https://themes.googleusercontent.comframe-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";+worker_processes auto; 
 +worker_rlimit_nofile 65535;
  
 +events {
 +    multi_accept on;
 +    worker_connections 65535;
 +}
 +
 +http {
 +    charset utf-8;
 +    sendfile on;
 +    tcp_nopush on;
 +    tcp_nodelay on;
 +    server_tokens off;
 +    log_not_found off;
 +    types_hash_max_size 2048;
 +    client_max_body_size 16M;
 +
 +    # MIME
 +    include mime.types;
 +    default_type application/octet-stream;
 +
 +    # logging
 +    access_log /var/log/nginx/access.log;
 +    error_log /var/log/nginx/error.log warn;
 +
 +    # SSL
 +    ssl_session_timeout 1d;
 +    ssl_session_cache shared:SSL:10m;
 +    ssl_session_tickets off;
 +
 +    # Mozilla Modern configuration
 +    ssl_protocols TLSv1.3;
 +
 +    # OCSP Stapling
 +    ssl_stapling on;
 +    ssl_stapling_verify on;
 +    resolver 1.1.1.1 1.0.0.1 valid=60s;
 +    resolver_timeout 2s;
 +
 +    # load configs
 +    include /etc/nginx/conf.d/*.conf;
 +    include /etc/nginx/sites-enabled/*;
 +}
 +</code>
 +
 +<code - example.com>
 server { server {
     server_tokens off;     server_tokens off;
Line 79: Line 124:
     listen [::]:443 ssl http2;     listen [::]:443 ssl http2;
     server_name example.com;     server_name example.com;
 +    
 +    add_header X-Frame-Options "SAMEORIGIN" always;
 +    add_header X-Content-Type-Options "nosniff" always;
 +    add_header X-XSS-Protection "1; mode=block" always;
 +    add_header Referrer-Policy "no-referrer-when-downgrade" always;
 +    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
 +    # Or
 +    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
 +    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  
     ssl_session_cache shared:SSL:10m;     ssl_session_cache shared:SSL:10m;
Line 96: Line 150:
     # ciphers chosen for forward secrecy and compatibility     # ciphers chosen for forward secrecy and compatibility
     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html     # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
-    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';+    ssl_ciphers EECDH+AESGCM:EDH+AESGCM; 
 +    # Or this: 
 +    # ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
     ssl_ecdh_curve secp384r1;     ssl_ecdh_curve secp384r1;
  
     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-    resolver 1.1.1.1 1.0.0.1 valid=300s;+    resolver 1.1.1.1 1.0.0.1 valid=60s;
     resolver_timeout 5s;     resolver_timeout 5s;
     ssl_stapling on;     ssl_stapling on;
Line 107: Line 163:
     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;
  
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +    set $base /home/wwwroot/example.com
- +    root $base;
-    root /home/wwwroot/example.com;+
     index index.php index.html;     index index.php index.html;
  
Line 121: Line 176:
         include snippets/fastcgi-php.conf;         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
 +        fastcgi_buffers 8 16k;
 +        fastcgi_buffer_size 32k;
 +        # fastcgi params
 +        fastcgi_param DOCUMENT_ROOT $realpath_root;
 +        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
 +        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
     }     }
  
Line 126: Line 187:
        deny all;        deny all;
     }     }
 +    
 +    location = /favicon.ico {
 +        log_not_found off;
 +        access_log off;
 +    }
 +    
 +    location = /robots.txt {
 +        log_not_found off;
 +        access_log off;
 +    }
 +    
 +    # assets, media
 +    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
 +        expires 7d;
 +        access_log off;
 +    }
 +
 +    # svg, fonts
 +    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
 +        add_header Access-Control-Allow-Origin "*";
 +        expires 7d;
 +        access_log off;
 +    }
 +    
 +    # gzip
 +    gzip on;
 +    gzip_vary on;
 +    gzip_proxied any;
 +    gzip_comp_level 6;
 +    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
  
     ssl_certificate /etc/nginx/ssl/example.com.crt;     ssl_certificate /etc/nginx/ssl/example.com.crt;
Line 146: Line 237:
 openssl dhparam -dsaparam -out dhparam.pem 4096 openssl dhparam -dsaparam -out dhparam.pem 4096
 </code> </code>
 +
 +Things that might help you out: [[https://cipherli.st|Cipherli.st]] & [[https://mozilla.github.io/server-side-tls/ssl-config-generator/|Mozilla SSL Configuration Generator]]
 +
 ===== Cool stuff ===== ===== Cool stuff =====
 +
 +==== Colorful OpenDirectory ===
 +
 +<code>
 +    # You need to install nginx-extras on Debian / Ubuntu.
 +    location / {
 +        autoindex on;
 +        fancyindex on;
 +        fancyindex_exact_size off;
 +    }
 +</code>
 +
 +==== Connectivity Detection ====
  
 <code> <code>
Line 170: Line 277:
         return 200 'Microsoft NCSI';         return 200 'Microsoft NCSI';
     }     }
 +</code>
 +
 +==== Reverse Proxy ====
 +
 +<code>
 +    location / {
 +        proxy_pass http://127.0.0.1:8080/;
 +        proxy_set_header Host $http_host;
 +        proxy_set_header X-Real-IP $remote_addr;
 +        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 +        proxy_set_header X-Forwarded-Proto $scheme;
 +        client_max_body_size 0;
 +    }
 +</code>
 +
 +==== log ====
 +
 +<code>
 +    log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
 +    access_log /var/log/nginx/example_com_access.log;
 +    error_log /var/log/nginx/example_com_error.log warn;
 </code> </code>