Created
May 19, 2020 03:28
-
-
Save anadimisra/4c286977ebe97a1c4c53be0a3f91b928 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes auto; | |
pid /run/nginx.pid; | |
include /etc/nginx/modules-enabled/*.conf; | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 30; | |
types_hash_max_size 2048; | |
server_tokens off; | |
more_set_headers 'Server: ExampleCom'; | |
client_max_body_size 5m; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# SSL Settings | |
## | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE | |
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
ssl_prefer_server_ciphers on; | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
## | |
# Security Headers | |
## | |
# 1. Do not allow non listed inline components other than these sites | |
add_header Content-Security-Policy "default-src 'self' https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://*.addthis.com https://*.addthisedge.com https://*.moatads.com https://mc.yandex.ru https://www.youtube.com https://*.linkedin.com data: 'unsafe-inline' 'unsafe-eval';" always; | |
# 2. XSS Filter | |
add_header X-Xss-Protection "1; mode=block" always; | |
# 3. Clickjacking | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
# 4. Mime Fishing | |
add_header X-Content-Type-Options "nosniff" always; | |
# 5. Referrer Policy | |
add_header Referrer-Policy 'no-referrer-when-downgrade'; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
gzip on; | |
gzip_disable "msie6"; | |
# gzip_vary on; | |
gzip_proxied any; | |
gzip_comp_level 6; | |
# gzip_buffers 16 8k; | |
# gzip_http_version 1.1; | |
gzip_types text/plain text/css text/javascript text/xml application/json application/javascript application/xml application/xml+rss image/svg+xml image/x-icon; | |
## | |
# Virtual Host Configs | |
## | |
server { | |
listen 80 default_server; | |
server_name _; | |
return 444; | |
} | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream remark42 { | |
server 127.0.0.1:8080 weight=100 max_fails=5 fail_timeout=5; | |
} | |
server { | |
listen 80; | |
server_name www.example.com; | |
return 301 https://$server_name$request_uri; | |
} | |
server { | |
listen 443 ssl http2; | |
gzip_types text/css text/x-component text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-cross-domain-policy text/cache-manifest application/x-javascript application/javascript application/xml application/rdf+xml application/rss+xml application/xhtml+xml application/atom+xml application/json application/ld+json application/manifest+json application/schema+json application/vnd.geo+json application/x-web-app-manifest+json application/java application/msword application/vnd.ms-fontobject application/x-msdownload application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/pdf application/vnd.ms-powerpoint application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel image/svg+xml image/bmp image/x-icon image/webp image/vnd.microsoft.icon font/eot font/opentype font/woff2 audio/ogg audio/wav; | |
access_log /var/www/example.com/storage/logs/access.log; | |
error_log /var/www/example.com/storage/logs/error.log; | |
ssl_certificate /etc/nginx/ssl/example_com_chain.crt; | |
ssl_certificate_key /etc/nginx/ssl/example_com.key; | |
root /var/www/example.com/public/; | |
index index.php index.html index.htm; | |
# Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead) | |
location ~ \.php$ { | |
# Prevent Zero-day exploit | |
try_files $uri =404; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini | |
fastcgi_pass unix:/run/php/php7.4-fpm.sock; | |
fastcgi_index index.php; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_param APP_ENV production; | |
include fastcgi_params; | |
} | |
location /comments/ { | |
proxy_set_header X-Forwarded-Host $host; | |
proxy_set_header X-Forwarded-Server $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto https; | |
proxy_pass http://remark42/; | |
} | |
## | |
# BEGIN: Caching for Non Minified Assets | |
## | |
# this block will catch files that might need to change immediately (e. g. to deploy hotfixes), such as js or css | |
# The ?: prefix is a 'non-capturing' mark, meaning we do not require | |
# the pattern to be captured into $1 which should help improve performance | |
location ~* \.(?:css|js)$ { | |
access_log on; | |
etag on; | |
if_modified_since exact; | |
add_header Pragma "public"; | |
add_header Cache-Control "max-age=31557600, public, must-revalidate, proxy-revalidate"; | |
} | |
# This block will catch static file requests, such as images | |
# The ?: prefix is a 'non-capturing' mark, meaning we do not require | |
# the pattern to be captured into $1 which should help improve performance | |
location ~ \.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$ { | |
expires 3600s; | |
etag on; | |
if_modified_since exact; | |
add_header Pragma "public"; | |
add_header Cache-Control "max-age=3600, public, must-revalidate, proxy-revalidate"; | |
try_files $uri $uri/ $uri.html /index.php?$args; | |
} | |
location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svgz|swf|tar|tif|tiff|ttc|_ttf|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ { | |
expires 31557600s; | |
etag on; | |
if_modified_since exact; | |
add_header Pragma "public"; | |
add_header Cache-Control "max-age=31557600, public"; | |
try_files $uri $uri/ $uri.html /index.php?$args; | |
} | |
# This block will catch static file requests of fonts and allows fonts to be requested via CORS | |
# The ?: prefix is a 'non-capturing' mark, meaning we do not require | |
# the pattern to be captured into $1 which should help improve performance | |
location ~* \.(?:eot|woff|woff2|ttf|svg|otf) { | |
access_log off; | |
etag on; | |
expires 1y; | |
if_modified_since exact; | |
add_header Cache-Control "max-age=31557600, public"; | |
add_header Vary "Accept-Encoding"; | |
add_header Content-Encoding gzip; | |
} | |
# Allow for larger uploads | |
client_max_body_size 6M; | |
large_client_header_buffers 4 32k; | |
# BEGIN: Global restrictions configuration | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
# BEGIN: Global restrictions configuration | |
location = /favicon.png { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac). | |
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
location ~ /\. { | |
deny all; | |
} | |
# Block firewall specific PHP settings | |
location ~ ^/\.user\.ini { | |
deny all; | |
} | |
# this site runs only php under fastcgi | |
location ~* .(pl|cgi|py|sh|lua)$ { | |
return 444; | |
} | |
# our images cannot be cross linked to other sites | |
location ~ .(gif|png|jpe?g)$ { | |
valid_referers none blocked example.com *.example.com; | |
if ($invalid_referer) { | |
return 403; | |
} | |
} | |
location / { | |
try_files $uri $uri/ /index.php?$args; | |
} | |
# END: Global restrictions configuration | |
# Permanent redirects to external blog sites | |
rewrite ^/blog/medium$ https://medium.com/@example permanent; | |
rewrite ^/blog/tumblr$ https://example.tumblr.com permanent; | |
rewrite ^/blog/wordpress$ https://example.wordpress.com permanent; | |
error_page 500 502 503 504 /500.html; | |
keepalive_timeout 15; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment