Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
nginx [2019/06/04 09:02] misaka00251nginx [2020/01/18 11:47] (current) – external edit 127.0.0.1
Line 54: Line 54:
  
 Here is an example secure conf. Here is an example secure conf.
 +
 +<code - nginx.conf>
 +# This file default locate at /etc/nginx/nginx.conf in Linux.
 +user www-data;
 +pid /run/nginx.pid;
 +worker_processes auto;
 +worker_rlimit_nofile 65535;
 +
 +events {
 +    multi_accept on;
 +    worker_connections 65535;
 +}
 +
 +http {
 +    charset utf-8;
 +    sendfile on;
 +    tcp_nopush on;
 +    tcp_nodelay on;
 +    server_tokens off;
 +    log_not_found off;
 +    types_hash_max_size 2048;
 +    client_max_body_size 16M;
 +
 +    # MIME
 +    include mime.types;
 +    default_type application/octet-stream;
 +
 +    # logging
 +    access_log /var/log/nginx/access.log;
 +    error_log /var/log/nginx/error.log warn;
 +
 +    # SSL
 +    ssl_session_timeout 1d;
 +    ssl_session_cache shared:SSL:10m;
 +    ssl_session_tickets off;
 +
 +    # Mozilla Modern configuration
 +    ssl_protocols TLSv1.3;
 +
 +    # OCSP Stapling
 +    ssl_stapling on;
 +    ssl_stapling_verify on;
 +    resolver 1.1.1.1 1.0.0.1 valid=60s;
 +    resolver_timeout 2s;
 +
 +    # load configs
 +    include /etc/nginx/conf.d/*.conf;
 +    include /etc/nginx/sites-enabled/*;
 +}
 +</code>
  
 <code - example.com> <code - example.com>
Line 75: Line 125:
     server_name example.com;     server_name example.com;
          
-    add_header X-Frame-Options DENY+    add_header X-Frame-Options "SAMEORIGIN" always
-    add_header X-Content-Type-Options nosniff; +    add_header X-Content-Type-Options "nosniff" always
-    add_header X-XSS-Protection "1; mode=block";+    add_header X-XSS-Protection "1; mode=block" always; 
 +    add_header Referrer-Policy "no-referrer-when-downgrade" always;
     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";     add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
 +    # Or
 +    add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
 +    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
  
     ssl_session_cache shared:SSL:10m;     ssl_session_cache shared:SSL:10m;
Line 103: Line 157:
     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)     # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-    resolver 1.1.1.1 1.0.0.1 valid=300s;+    resolver 1.1.1.1 1.0.0.1 valid=60s;
     resolver_timeout 5s;     resolver_timeout 5s;
     ssl_stapling on;     ssl_stapling on;
Line 109: Line 163:
     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;     ssl_trusted_certificate /etc/nginx/ssl/example.com.crt;
  
-    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; +    set $base /home/wwwroot/example.com
- +    root $base;
-    root /home/wwwroot/example.com;+
     index index.php index.html;     index index.php index.html;
  
Line 123: Line 176:
         include snippets/fastcgi-php.conf;         include snippets/fastcgi-php.conf;
         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;         fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
 +        fastcgi_buffers 8 16k;
 +        fastcgi_buffer_size 32k;
 +        # fastcgi params
 +        fastcgi_param DOCUMENT_ROOT $realpath_root;
 +        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
 +        fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
     }     }
  
Line 128: Line 187:
        deny all;        deny all;
     }     }
 +    
 +    location = /favicon.ico {
 +        log_not_found off;
 +        access_log off;
 +    }
 +    
 +    location = /robots.txt {
 +        log_not_found off;
 +        access_log off;
 +    }
 +    
 +    # assets, media
 +    location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
 +        expires 7d;
 +        access_log off;
 +    }
 +
 +    # svg, fonts
 +    location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
 +        add_header Access-Control-Allow-Origin "*";
 +        expires 7d;
 +        access_log off;
 +    }
 +    
 +    # gzip
 +    gzip on;
 +    gzip_vary on;
 +    gzip_proxied any;
 +    gzip_comp_level 6;
 +    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
  
     ssl_certificate /etc/nginx/ssl/example.com.crt;     ssl_certificate /etc/nginx/ssl/example.com.crt;
Line 158: Line 247:
     # You need to install nginx-extras on Debian / Ubuntu.     # You need to install nginx-extras on Debian / Ubuntu.
     location / {     location / {
 +        autoindex on;
         fancyindex on;         fancyindex on;
         fancyindex_exact_size off;         fancyindex_exact_size off;