Skip to content

Instantly share code, notes, and snippets.

@anadimisra
Created May 19, 2020 03:28
Show Gist options
  • Save anadimisra/4c286977ebe97a1c4c53be0a3f91b928 to your computer and use it in GitHub Desktop.
Save anadimisra/4c286977ebe97a1c4c53be0a3f91b928 to your computer and use it in GitHub Desktop.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 1024;
multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 2048;
server_tokens off;
more_set_headers 'Server: ExampleCom';
client_max_body_size 5m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
##
# Security Headers
##
# 1. Do not allow non listed inline components other than these sites
add_header Content-Security-Policy "default-src 'self' https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://*.addthis.com https://*.addthisedge.com https://*.moatads.com https://mc.yandex.ru https://www.youtube.com https://*.linkedin.com data: 'unsafe-inline' 'unsafe-eval';" always;
# 2. XSS Filter
add_header X-Xss-Protection "1; mode=block" always;
# 3. Clickjacking
add_header X-Frame-Options "SAMEORIGIN" always;
# 4. Mime Fishing
add_header X-Content-Type-Options "nosniff" always;
# 5. Referrer Policy
add_header Referrer-Policy 'no-referrer-when-downgrade';
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
# gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types text/plain text/css text/javascript text/xml application/json application/javascript application/xml application/xml+rss image/svg+xml image/x-icon;
##
# Virtual Host Configs
##
server {
listen 80 default_server;
server_name _;
return 444;
}
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
upstream remark42 {
server 127.0.0.1:8080 weight=100 max_fails=5 fail_timeout=5;
}
server {
listen 80;
server_name www.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
gzip_types text/css text/x-component text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-cross-domain-policy text/cache-manifest application/x-javascript application/javascript application/xml application/rdf+xml application/rss+xml application/xhtml+xml application/atom+xml application/json application/ld+json application/manifest+json application/schema+json application/vnd.geo+json application/x-web-app-manifest+json application/java application/msword application/vnd.ms-fontobject application/x-msdownload application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/pdf application/vnd.ms-powerpoint application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel image/svg+xml image/bmp image/x-icon image/webp image/vnd.microsoft.icon font/eot font/opentype font/woff2 audio/ogg audio/wav;
access_log /var/www/example.com/storage/logs/access.log;
error_log /var/www/example.com/storage/logs/error.log;
ssl_certificate /etc/nginx/ssl/example_com_chain.crt;
ssl_certificate_key /etc/nginx/ssl/example_com.key;
root /var/www/example.com/public/;
index index.php index.html index.htm;
# Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead)
location ~ \.php$ {
# Prevent Zero-day exploit
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param APP_ENV production;
include fastcgi_params;
}
location /comments/ {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_pass http://remark42/;
}
##
# BEGIN: Caching for Non Minified Assets
##
# this block will catch files that might need to change immediately (e. g. to deploy hotfixes), such as js or css
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:css|js)$ {
access_log on;
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=31557600, public, must-revalidate, proxy-revalidate";
}
# This block will catch static file requests, such as images
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~ \.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$ {
expires 3600s;
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=3600, public, must-revalidate, proxy-revalidate";
try_files $uri $uri/ $uri.html /index.php?$args;
}
location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svgz|swf|tar|tif|tiff|ttc|_ttf|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
expires 31557600s;
etag on;
if_modified_since exact;
add_header Pragma "public";
add_header Cache-Control "max-age=31557600, public";
try_files $uri $uri/ $uri.html /index.php?$args;
}
# This block will catch static file requests of fonts and allows fonts to be requested via CORS
# The ?: prefix is a 'non-capturing' mark, meaning we do not require
# the pattern to be captured into $1 which should help improve performance
location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
access_log off;
etag on;
expires 1y;
if_modified_since exact;
add_header Cache-Control "max-age=31557600, public";
add_header Vary "Accept-Encoding";
add_header Content-Encoding gzip;
}
# Allow for larger uploads
client_max_body_size 6M;
large_client_header_buffers 4 32k;
# BEGIN: Global restrictions configuration
location = /favicon.ico {
log_not_found off;
access_log off;
}
# BEGIN: Global restrictions configuration
location = /favicon.png {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
# Block firewall specific PHP settings
location ~ ^/\.user\.ini {
deny all;
}
# this site runs only php under fastcgi
location ~* .(pl|cgi|py|sh|lua)$ {
return 444;
}
# our images cannot be cross linked to other sites
location ~ .(gif|png|jpe?g)$ {
valid_referers none blocked example.com *.example.com;
if ($invalid_referer) {
return 403;
}
}
location / {
try_files $uri $uri/ /index.php?$args;
}
# END: Global restrictions configuration
# Permanent redirects to external blog sites
rewrite ^/blog/medium$ https://medium.com/@example permanent;
rewrite ^/blog/tumblr$ https://example.tumblr.com permanent;
rewrite ^/blog/wordpress$ https://example.wordpress.com permanent;
error_page 500 502 503 504 /500.html;
keepalive_timeout 15;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment