anadimisra/nginx.conf

## nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 1024;
	multi_accept on;
}

http {

	##
	# Basic Settings
	##
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 30;
	types_hash_max_size 2048;
	server_tokens off;
	more_set_headers 'Server: ExampleCom';
	client_max_body_size 5m;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	##
	# Security Headers
	##
	# 1. Do not allow non listed inline components other than these sites
	add_header Content-Security-Policy "default-src 'self' https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://*.addthis.com https://*.addthisedge.com https://*.moatads.com  https://mc.yandex.ru https://www.youtube.com https://*.linkedin.com data: 'unsafe-inline' 'unsafe-eval';" always;
	# 2. XSS Filter
	add_header X-Xss-Protection "1; mode=block" always;
	# 3. Clickjacking
	add_header X-Frame-Options "SAMEORIGIN" always;
	# 4. Mime Fishing
	add_header X-Content-Type-Options "nosniff" always;
    # 5. Referrer Policy
    add_header Referrer-Policy 'no-referrer-when-downgrade';

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	gzip_types text/plain text/css text/javascript text/xml application/json application/javascript  application/xml application/xml+rss image/svg+xml image/x-icon;

	##
	# Virtual Host Configs
	##
	server {
           listen 80 default_server;
           server_name _;
           return 444;
    	}

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}

## site.conf
upstream remark42 {
	server 127.0.0.1:8080 weight=100 max_fails=5 fail_timeout=5;
}

server {
    listen 80;
    server_name www.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;

    gzip_types text/css text/x-component text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-cross-domain-policy text/cache-manifest application/x-javascript application/javascript application/xml application/rdf+xml application/rss+xml application/xhtml+xml application/atom+xml  application/json application/ld+json application/manifest+json application/schema+json application/vnd.geo+json application/x-web-app-manifest+json application/java application/msword application/vnd.ms-fontobject application/x-msdownload application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/pdf application/vnd.ms-powerpoint application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel image/svg+xml image/bmp image/x-icon image/webp image/vnd.microsoft.icon font/eot font/opentype font/woff2 audio/ogg audio/wav;

    access_log /var/www/example.com/storage/logs/access.log;
    error_log /var/www/example.com/storage/logs/error.log;

    ssl_certificate /etc/nginx/ssl/example_com_chain.crt;
    ssl_certificate_key /etc/nginx/ssl/example_com.key;

    root /var/www/example.com/public/;
    index index.php index.html index.htm;

    # Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead)
    location ~ \.php$ {
        # Prevent Zero-day exploit
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
        fastcgi_pass    unix:/run/php/php7.4-fpm.sock;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param   APP_ENV  production;
        include         fastcgi_params;
    }

    location /comments/ {
        proxy_set_header X-Forwarded-Host $host;
 	proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://remark42/;
    }

    ##
    # BEGIN: Caching for Non Minified Assets
    ##
    # this block will catch files that might need to change immediately (e. g. to deploy hotfixes), such as js or css
    # The ?: prefix is a 'non-capturing' mark, meaning we do not require
    # the pattern to be captured into $1 which should help improve performance
    location ~* \.(?:css|js)$ {
        access_log        on;
        etag              on;
        if_modified_since exact;
        add_header Pragma "public";
        add_header        Cache-Control "max-age=31557600, public, must-revalidate, proxy-revalidate";
    }

    # This block will catch static file requests, such as images
    # The ?: prefix is a 'non-capturing' mark, meaning we do not require
    # the pattern to be captured into $1 which should help improve performance
    location ~ \.(html|htm|rtf|rtx|txt|xsd|xsl|xml)$ {
        expires 3600s;
        etag on;
        if_modified_since exact;
        add_header Pragma "public";
        add_header Cache-Control "max-age=3600, public, must-revalidate, proxy-revalidate";
        try_files $uri $uri/ $uri.html /index.php?$args;
    }

    location ~ \.(asf|asx|wax|wmv|wmx|avi|bmp|class|divx|doc|docx|exe|gif|gz|gzip|ico|jpg|jpeg|jpe|webp|json|mdb|mid|midi|mov|qt|mp3|m4a|mp4|m4v|mpeg|mpg|mpe|mpp|_otf|odb|odc|odf|odg|odp|ods|odt|ogg|pdf|png|pot|pps|ppt|pptx|ra|ram|svgz|swf|tar|tif|tiff|ttc|_ttf|wav|wma|wri|xla|xls|xlsx|xlt|xlw|zip)$ {
        expires 31557600s;
        etag on;
        if_modified_since exact;
        add_header Pragma "public";
        add_header Cache-Control "max-age=31557600, public";
        try_files $uri $uri/ $uri.html /index.php?$args;
    }

    # This block will catch static file requests of fonts and allows fonts to be requested via CORS
    # The ?: prefix is a 'non-capturing' mark, meaning we do not require
    # the pattern to be captured into $1 which should help improve performance
    location ~* \.(?:eot|woff|woff2|ttf|svg|otf) {
        access_log        off;
        etag              on;
        expires           1y;
        if_modified_since exact;
        add_header        Cache-Control "max-age=31557600, public";
        add_header Vary "Accept-Encoding";
        add_header Content-Encoding gzip;
    }

    # Allow for larger uploads
    client_max_body_size 6M;
    large_client_header_buffers 4 32k;

    # BEGIN: Global restrictions configuration
    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }

# BEGIN: Global restrictions configuration
    location = /favicon.png {
      log_not_found off;
      access_log off;
    }

    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
      deny all;
    }

    # Block firewall specific PHP settings
    location ~ ^/\.user\.ini {
      deny all;
    }

    # this site runs only php under fastcgi
    location ~* .(pl|cgi|py|sh|lua)$ {
        return 444;
    }

    # our images cannot be cross linked to other sites
    location ~ .(gif|png|jpe?g)$ {
       valid_referers none blocked example.com *.example.com;
          if ($invalid_referer) {
             return   403;
       }
    }

    location / {
      try_files $uri $uri/ /index.php?$args;
    }
    # END: Global restrictions configuration

    # Permanent redirects to external blog sites
    rewrite ^/blog/medium$ https://medium.com/@example permanent;
    rewrite ^/blog/tumblr$ https://example.tumblr.com permanent;
    rewrite ^/blog/wordpress$ https://example.wordpress.com permanent;

    error_page 500 502 503 504 /500.html;
    keepalive_timeout 15;
}
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 1024;
	multi_accept on;
	}

	http {

	##
	# Basic Settings
	##
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 30;
	types_hash_max_size 2048;
	server_tokens off;
	more_set_headers 'Server: ExampleCom';
	client_max_body_size 5m;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	##
	# Security Headers
	##
	# 1. Do not allow non listed inline components other than these sites
	add_header Content-Security-Policy "default-src 'self' https://www.google-analytics.com https://www.gstatic.com https://fonts.gstatic.com https://fonts.googleapis.com https://www.google.com https://www.googletagmanager.com https://.addthis.com https://.addthisedge.com https://.moatads.com https://mc.yandex.ru https://www.youtube.com https://.linkedin.com data: 'unsafe-inline' 'unsafe-eval';" always;
	# 2. XSS Filter
	add_header X-Xss-Protection "1; mode=block" always;
	# 3. Clickjacking
	add_header X-Frame-Options "SAMEORIGIN" always;
	# 4. Mime Fishing
	add_header X-Content-Type-Options "nosniff" always;
	# 5. Referrer Policy
	add_header Referrer-Policy 'no-referrer-when-downgrade';

	##
	# Logging Settings
	##
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##
	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	gzip_types text/plain text/css text/javascript text/xml application/json application/javascript application/xml application/xml+rss image/svg+xml image/x-icon;

	##
	# Virtual Host Configs
	##
	server {
	listen 80 default_server;
	server_name _;
	return 444;
	}

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	upstream remark42 {
	server 127.0.0.1:8080 weight=100 max_fails=5 fail_timeout=5;
	}

	server {
	listen 80;
	server_name www.example.com;
	return 301 https://$server_name$request_uri;
	}

	server {
	listen 443 ssl http2;

	gzip_types text/css text/x-component text/javascript text/x-js text/richtext text/plain text/xsd text/xsl text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-cross-domain-policy text/cache-manifest application/x-javascript application/javascript application/xml application/rdf+xml application/rss+xml application/xhtml+xml application/atom+xml application/json application/ld+json application/manifest+json application/schema+json application/vnd.geo+json application/x-web-app-manifest+json application/java application/msword application/vnd.ms-fontobject application/x-msdownload application/vnd.ms-access application/vnd.ms-project application/x-font-otf application/vnd.ms-opentype application/vnd.oasis.opendocument.database application/vnd.oasis.opendocument.chart application/vnd.oasis.opendocument.formula application/vnd.oasis.opendocument.graphics application/vnd.oasis.opendocument.spreadsheet application/vnd.oasis.opendocument.text application/pdf application/vnd.ms-powerpoint application/x-shockwave-flash image/tiff application/x-font-ttf application/vnd.ms-write application/font-woff application/font-woff2 application/vnd.ms-excel image/svg+xml image/bmp image/x-icon image/webp image/vnd.microsoft.icon font/eot font/opentype font/woff2 audio/ogg audio/wav;

	access_log /var/www/example.com/storage/logs/access.log;
	error_log /var/www/example.com/storage/logs/error.log;

	ssl_certificate /etc/nginx/ssl/example_com_chain.crt;
	ssl_certificate_key /etc/nginx/ssl/example_com.key;

	root /var/www/example.com/public/;
	index index.php index.html index.htm;

	# Pass the PHP scripts to FastCGI server (locally with unix: param to avoid network overhead)
	location ~ \.php$ {
	# Prevent Zero-day exploit
	try_files $uri =404;
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
	fastcgi_index index.php;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param APP_ENV production;
	include fastcgi_params;
	}

	location /comments/ {
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	proxy_pass http://remark42/;
	}

	##
	# BEGIN: Caching for Non Minified Assets
	##
	# this block will catch files that might need to change immediately (e. g. to deploy hotfixes), such as js or css
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:css\|js)$ {
	access_log on;
	etag on;
	if_modified_since exact;
	add_header Pragma "public";
	add_header Cache-Control "max-age=31557600, public, must-revalidate, proxy-revalidate";
	}

	# This block will catch static file requests, such as images
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~ \.(html\|htm\|rtf\|rtx\|txt\|xsd\|xsl\|xml)$ {
	expires 3600s;
	etag on;
	if_modified_since exact;
	add_header Pragma "public";
	add_header Cache-Control "max-age=3600, public, must-revalidate, proxy-revalidate";
	try_files $uri $uri/ $uri.html /index.php?$args;
	}

	location ~ \.(asf\|asx\|wax\|wmv\|wmx\|avi\|bmp\|class\|divx\|doc\|docx\|exe\|gif\|gz\|gzip\|ico\|jpg\|jpeg\|jpe\|webp\|json\|mdb\|mid\|midi\|mov\|qt\|mp3\|m4a\|mp4\|m4v\|mpeg\|mpg\|mpe\|mpp\|_otf\|odb\|odc\|odf\|odg\|odp\|ods\|odt\|ogg\|pdf\|png\|pot\|pps\|ppt\|pptx\|ra\|ram\|svgz\|swf\|tar\|tif\|tiff\|ttc\|_ttf\|wav\|wma\|wri\|xla\|xls\|xlsx\|xlt\|xlw\|zip)$ {
	expires 31557600s;
	etag on;
	if_modified_since exact;
	add_header Pragma "public";
	add_header Cache-Control "max-age=31557600, public";
	try_files $uri $uri/ $uri.html /index.php?$args;
	}

	# This block will catch static file requests of fonts and allows fonts to be requested via CORS
	# The ?: prefix is a 'non-capturing' mark, meaning we do not require
	# the pattern to be captured into $1 which should help improve performance
	location ~* \.(?:eot\|woff\|woff2\|ttf\|svg\|otf) {
	access_log off;
	etag on;
	expires 1y;
	if_modified_since exact;
	add_header Cache-Control "max-age=31557600, public";
	add_header Vary "Accept-Encoding";
	add_header Content-Encoding gzip;
	}

	# Allow for larger uploads
	client_max_body_size 6M;
	large_client_header_buffers 4 32k;

	# BEGIN: Global restrictions configuration
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# BEGIN: Global restrictions configuration
	location = /favicon.png {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~ /\. {
	deny all;
	}

	# Block firewall specific PHP settings
	location ~ ^/\.user\.ini {
	deny all;
	}

	# this site runs only php under fastcgi
	location ~* .(pl\|cgi\|py\|sh\|lua)$ {
	return 444;
	}

	# our images cannot be cross linked to other sites
	location ~ .(gif\|png\|jpe?g)$ {
	valid_referers none blocked example.com *.example.com;
	if ($invalid_referer) {
	return 403;
	}
	}

	location / {
	try_files $uri $uri/ /index.php?$args;
	}
	# END: Global restrictions configuration

	# Permanent redirects to external blog sites
	rewrite ^/blog/medium$ https://medium.com/@example permanent;
	rewrite ^/blog/tumblr$ https://example.tumblr.com permanent;
	rewrite ^/blog/wordpress$ https://example.wordpress.com permanent;

	error_page 500 502 503 504 /500.html;
	keepalive_timeout 15;
	}