alex2006hw/nginx config ssl

## nginx config ssl
#######################################################
###  copy from Calomel.org  /etc/nginx.conf  BEGIN
#######################################################

#
worker_processes     4;     # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
worker_priority      15;    # renice workers to reduce priority compared to system processes for
                            # machine health. worst case nginx will get ~25% system resources at nice=15
#worker_rlimit_nofile 1024; # maximum number of open files

events {
#worker_connections 512;  # number of parallel or concurrent connections per worker_processes
#accept_mutex        on;  # serially accept() connections and pass to workers, efficient if workers gt 1
#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
}

http {

 ## Size Limits
 #client_body_buffer_size   8k;
 #client_header_buffer_size 1k;
 #client_max_body_size      1m;
 #large_client_header_buffers 4 4k/8k;

 # Timeouts, do not keep connections open longer then necessary to reduce
 # resource usage and deny Slowloris type attacks.
  client_body_timeout      4s; # maximum time between packets the client can pause when sending nginx any data
  client_header_timeout    4s; # maximum time the client has to send the entire header to nginx
  keepalive_timeout       75s; # timeout which a single keep-alive client connection will stay open
  send_timeout            24s; # maximum time between packets nginx is allowed to pause when sending the client data
  spdy_keepalive_timeout 123s; # inactivity timeout after which the SPDY connection is closed
  spdy_recv_timeout        4s; # timeout if nginx is currently expecting data from the client but nothing arrives

 ## General Options
 #aio                       on;  # asynchronous file I/O, fast with ZFS, make sure sendfile=off
  charset                   utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
  default_type              application/octet-stream;
  gzip                      off; # disable on the fly gzip compression due to higher latency, only use gzip_static
 #gzip_http_version         1.0; # serve gzipped content to all clients including HTTP/1.0
  gzip_static               on;  # precompress content (gzip -9) with an external script
 #gzip_vary                 on;  # send response header "Vary: Accept-Encoding"
  gzip_proxied             any;  # allows compressed responses for any request even from proxies
  ignore_invalid_headers    on;
  include                   /etc/mime.types;
  keepalive_requests        50;  # number of requests per connection, does not affect SPDY
  keepalive_disable         none; # allow all browsers to use keepalive connections
  max_ranges                1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
  msie_padding              off;
  open_file_cache           max=1000 inactive=2h;
  open_file_cache_errors    on;
  open_file_cache_min_uses  1;
  open_file_cache_valid     1h;
  output_buffers            1 512;
 #postpone_output           1460;   # postpone sends to match our machine's MSS
  read_ahead                512K;   # kernel read head set to the output_buffers
  recursive_error_pages     on;
  reset_timedout_connection on;  # reset timed out connections freeing ram
  sendfile                  on;  # on for decent direct disk I/O
  server_tokens             off; # version number in error pages
  server_name_in_redirect   off; # if off, nginx will use the requested Host header
  source_charset            utf-8; # same value as "charset"
  tcp_nodelay               on; # Nagle buffering algorithm, used for keepalive only
  tcp_nopush                off;

 ## Request limits
  limit_req_zone  $binary_remote_addr  zone=gulag:1m   rate=60r/m;

 ## Log Format
  log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

 # global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
 # first. PFS ciphers are those which start with ECDHE which means (EC)DHE
 # which stands for (Elliptic Curve) Diffie-Hellman Ephemeral.

  # RSA ciphers
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;

 # ECDSA ssl ciphers; google chrome prefered order, 128bit most prefered
 #ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA;

  ssl_ecdh_curve secp384r1;            # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
 #ssl_session_timeout 5m; # SPDY timeout=180sec, keepalive=20sec; connection close=session expires

 ## http .:. redirect to https
  server {
     #add_header  Alternate-Protocol "443:npn-spdy/3.1";
      add_header  Cache-Control "public";
      access_log  /var/log/nginx/access.log main buffer=32k;
      error_log   /var/log/nginx/error.log error;
      expires     max;
      limit_req   zone=gulag burst=200 nodelay;
      listen      127.0.0.1:80;
      root        /var/empty;
      return 301 https://example.com$uri;
  }

 ## https .:. (www.)example.com
  server {
      add_header  Cache-Control "public";
     #add_header  Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;";
      add_header  X-Content-Type-Options "nosniff";
      add_header  X-Frame-Options "DENY";
      add_header  Strict-Transport-Security "max-age=315360000; includeSubdomains";
      access_log  /var/log/nginx/access.log main;
      error_log   /var/log/nginx/error.log info;
      expires     max;
      index       index.html;
      limit_req   zone=gulag burst=200 nodelay;
      listen      127.0.0.1:443 ssl spdy;
      root        /var/www/htdocs;
     #server_name example.com www.example.com;
      server_name "";

    # SSL certs
      ssl on;
      ssl_session_cache shared:SSL:1m;
      ssl_certificate /ssl_keys/example.com_ssl.crt;
      ssl_certificate_key /ssl_keys/example.com_ssl.key;
      ssl_stapling on;
      ssl_stapling_verify on;

     # Note: if{} sections are very expensive to process. Only use an If{}
     # block is really need them.  Please take a look lower down on the page
     # for our discussion of if{} statements.

     ## Only allow GET and HEAD request methods. By default Nginx blocks
     ## all requests type other then GET and HEAD for static content.
     # if ($request_method !~ ^(GET|HEAD)$ ) {
     #   return 405;
     # }

     ## Deny illegal Host headers.
     # if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
     #  return 405;
     # }

     ## Deny certain User-Agents (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     # if ($http_user_agent ~* (Baiduspider|Jullo) ) {
     #  return 405;
     # }

     ## Deny certain Referers (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     # if ($http_referer ~* (girl|jewelry|love|nudit|organic|poker|porn|teen|video|webcam|zippo) ) {
     #  return 405;
     # }

     ## Redirect from www to non-www. Notice we are stripping out arguments with "?"
     # if ($host != 'mydomain.com') { return 301 https://mydomain.com$uri; }

     ## Stop Image and Document Hijacking
     #location ~* (\.jpg|\.png|\.css)$ {
     #  if ($http_referer !~ ^(http://mydomain.com) ) {
     #    return 405;
     #  }
     #}

     ## Restricted Access directory by password in the access_list file.
      location ^~ /secure/ {
            allow 127.0.0.1/32;
            allow 10.10.10.0/24;
            deny all;
            auth_basic "RESTRICTED ACCESS";
            auth_basic_user_file /var/www/htdocs/secure/access_list;
        }

     ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
      location = /favicon.ico {
       #empty_gif;
        return 204;
      }

    # apple icons, all apple icon requests are served the same local file
    # location ~* /apple-touch-icon(.*)\.png$ { rewrite ^ /apple-touch-icon.png break; }

     ## default location with System Maintenance (Service Unavailable) check
      location  / { try_files system_maintenance.html $uri $uri/ =404; }

     ## All other errors get the generic error page
      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
                 500 501 502 503 504 505 506 507 /error_page.html;
      location  /error_page.html { internal; }

  }
}
#######################################################
###  copy from Calomel.org  /etc/nginx.conf  END
#######################################################
	#######################################################
	### copy from Calomel.org /etc/nginx.conf BEGIN
	#######################################################

	#
	worker_processes 4; # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
	worker_priority 15; # renice workers to reduce priority compared to system processes for
	# machine health. worst case nginx will get ~25% system resources at nice=15
	#worker_rlimit_nofile 1024; # maximum number of open files

	events {
	#worker_connections 512; # number of parallel or concurrent connections per worker_processes
	#accept_mutex on; # serially accept() connections and pass to workers, efficient if workers gt 1
	#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
	}

	http {

	## Size Limits
	#client_body_buffer_size 8k;
	#client_header_buffer_size 1k;
	#client_max_body_size 1m;
	#large_client_header_buffers 4 4k/8k;

	# Timeouts, do not keep connections open longer then necessary to reduce
	# resource usage and deny Slowloris type attacks.
	client_body_timeout 4s; # maximum time between packets the client can pause when sending nginx any data
	client_header_timeout 4s; # maximum time the client has to send the entire header to nginx
	keepalive_timeout 75s; # timeout which a single keep-alive client connection will stay open
	send_timeout 24s; # maximum time between packets nginx is allowed to pause when sending the client data
	spdy_keepalive_timeout 123s; # inactivity timeout after which the SPDY connection is closed
	spdy_recv_timeout 4s; # timeout if nginx is currently expecting data from the client but nothing arrives

	## General Options
	#aio on; # asynchronous file I/O, fast with ZFS, make sure sendfile=off
	charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
	default_type application/octet-stream;
	gzip off; # disable on the fly gzip compression due to higher latency, only use gzip_static
	#gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0
	gzip_static on; # precompress content (gzip -9) with an external script
	#gzip_vary on; # send response header "Vary: Accept-Encoding"
	gzip_proxied any; # allows compressed responses for any request even from proxies
	ignore_invalid_headers on;
	include /etc/mime.types;
	keepalive_requests 50; # number of requests per connection, does not affect SPDY
	keepalive_disable none; # allow all browsers to use keepalive connections
	max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
	msie_padding off;
	open_file_cache max=1000 inactive=2h;
	open_file_cache_errors on;
	open_file_cache_min_uses 1;
	open_file_cache_valid 1h;
	output_buffers 1 512;
	#postpone_output 1460; # postpone sends to match our machine's MSS
	read_ahead 512K; # kernel read head set to the output_buffers
	recursive_error_pages on;
	reset_timedout_connection on; # reset timed out connections freeing ram
	sendfile on; # on for decent direct disk I/O
	server_tokens off; # version number in error pages
	server_name_in_redirect off; # if off, nginx will use the requested Host header
	source_charset utf-8; # same value as "charset"
	tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only
	tcp_nopush off;

	## Request limits
	limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;

	## Log Format
	log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

	# global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers
	# first. PFS ciphers are those which start with ECDHE which means (EC)DHE
	# which stands for (Elliptic Curve) Diffie-Hellman Ephemeral.

	# RSA ciphers
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA;

	# ECDSA ssl ciphers; google chrome prefered order, 128bit most prefered
	#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA;

	ssl_ecdh_curve secp384r1; # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash
	ssl_prefer_server_ciphers on;
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	#ssl_session_timeout 5m; # SPDY timeout=180sec, keepalive=20sec; connection close=session expires

	## http .:. redirect to https
	server {
	#add_header Alternate-Protocol "443:npn-spdy/3.1";
	add_header Cache-Control "public";
	access_log /var/log/nginx/access.log main buffer=32k;
	error_log /var/log/nginx/error.log error;
	expires max;
	limit_req zone=gulag burst=200 nodelay;
	listen 127.0.0.1:80;
	root /var/empty;
	return 301 https://example.com$uri;
	}

	## https .:. (www.)example.com
	server {
	add_header Cache-Control "public";
	#add_header Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;";
	add_header X-Content-Type-Options "nosniff";
	add_header X-Frame-Options "DENY";
	add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";
	access_log /var/log/nginx/access.log main;
	error_log /var/log/nginx/error.log info;
	expires max;
	index index.html;
	limit_req zone=gulag burst=200 nodelay;
	listen 127.0.0.1:443 ssl spdy;
	root /var/www/htdocs;
	#server_name example.com www.example.com;
	server_name "";

	# SSL certs
	ssl on;
	ssl_session_cache shared:SSL:1m;
	ssl_certificate /ssl_keys/example.com_ssl.crt;
	ssl_certificate_key /ssl_keys/example.com_ssl.key;
	ssl_stapling on;
	ssl_stapling_verify on;

	# Note: if{} sections are very expensive to process. Only use an If{}
	# block is really need them. Please take a look lower down on the page
	# for our discussion of if{} statements.

	## Only allow GET and HEAD request methods. By default Nginx blocks
	## all requests type other then GET and HEAD for static content.
	# if ($request_method !~ ^(GET\|HEAD)$ ) {
	# return 405;
	# }

	## Deny illegal Host headers.
	# if ($host !~* ^(mydomain.com\|www.mydomain.com)$ ) {
	# return 405;
	# }

	## Deny certain User-Agents (case insensitive)
	## The ~* makes it case insensitive as opposed to just a ~
	# if ($http_user_agent ~* (Baiduspider\|Jullo) ) {
	# return 405;
	# }

	## Deny certain Referers (case insensitive)
	## The ~* makes it case insensitive as opposed to just a ~
	# if ($http_referer ~* (girl\|jewelry\|love\|nudit\|organic\|poker\|porn\|teen\|video\|webcam\|zippo) ) {
	# return 405;
	# }

	## Redirect from www to non-www. Notice we are stripping out arguments with "?"
	# if ($host != 'mydomain.com') { return 301 https://mydomain.com$uri; }

	## Stop Image and Document Hijacking
	#location ~* (\.jpg\|\.png\|\.css)$ {
	# if ($http_referer !~ ^(http://mydomain.com) ) {
	# return 405;
	# }
	#}

	## Restricted Access directory by password in the access_list file.
	location ^~ /secure/ {
	allow 127.0.0.1/32;
	allow 10.10.10.0/24;
	deny all;
	auth_basic "RESTRICTED ACCESS";
	auth_basic_user_file /var/www/htdocs/secure/access_list;
	}

	## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
	location = /favicon.ico {
	#empty_gif;
	return 204;
	}

	# apple icons, all apple icon requests are served the same local file
	# location ~* /apple-touch-icon(.*)\.png$ { rewrite ^ /apple-touch-icon.png break; }

	## default location with System Maintenance (Service Unavailable) check
	location / { try_files system_maintenance.html $uri $uri/ =404; }

	## All other errors get the generic error page
	error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
	500 501 502 503 504 505 506 507 /error_page.html;
	location /error_page.html { internal; }

	}
	}
	#######################################################
	### copy from Calomel.org /etc/nginx.conf END
	#######################################################