Created
April 30, 2017 18:43
-
-
Save candidosales/5fe693ba8f6ced69df6919f72241e503 to your computer and use it in GitHub Desktop.
NGINX SSL Docker + Website static + Performance + Security Raw
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user nginx; | |
| # PERFORMANCE | |
| # https://gist.github.com/denji/8359866 | |
| # you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that | |
| worker_processes auto; #some last versions calculate it automatically | |
| # number of file descriptors used for nginx | |
| # the limit for the maximum FDs on the server is usually set by the OS. | |
| # if you don't set FD's then OS settings will be used which is by default 2000 | |
| worker_rlimit_nofile 100000; | |
| error_log /var/log/nginx/error.log warn; | |
| pid /var/run/nginx.pid; | |
| # provides the configuration file context in which the directives that affect connection processing are specified. | |
| events { | |
| # determines how much clients will be served per worker | |
| # max clients = worker_connections * worker_processes | |
| # max clients is also limited by the number of socket connections available on the system (~64k) | |
| worker_connections 4000; | |
| # optmized to serve many clients with each thread, essential for linux -- for testing environment | |
| use epoll; | |
| # accept as many connections as possible, may flood worker connections if set too low -- for testing environment | |
| multi_accept on; | |
| } | |
| http { | |
| # cache informations about FDs, frequently accessed files | |
| # can boost performance, but you need to test those values | |
| # open_file_cache max=200000 inactive=20s; | |
| # open_file_cache_valid 30s; | |
| # open_file_cache_min_uses 2; | |
| # open_file_cache_errors on; | |
| types { | |
| text/html html htm shtml; | |
| text/css css; | |
| text/xml xml; | |
| image/gif gif; | |
| image/jpeg jpeg jpg; | |
| application/javascript js; | |
| application/atom+xml atom; | |
| application/rss+xml rss; | |
| text/mathml mml; | |
| text/plain txt; | |
| text/vnd.sun.j2me.app-descriptor jad; | |
| text/vnd.wap.wml wml; | |
| text/x-component htc; | |
| image/png png; | |
| image/tiff tif tiff; | |
| image/vnd.wap.wbmp wbmp; | |
| image/x-icon ico; | |
| image/x-jng jng; | |
| image/x-ms-bmp bmp; | |
| image/svg+xml svg svgz; | |
| image/webp webp; | |
| application/font-woff woff; | |
| application/java-archive jar war ear; | |
| application/json json; | |
| application/mac-binhex40 hqx; | |
| application/msword doc; | |
| application/pdf pdf; | |
| application/postscript ps eps ai; | |
| application/rtf rtf; | |
| application/vnd.apple.mpegurl m3u8; | |
| application/vnd.ms-excel xls; | |
| application/vnd.ms-fontobject eot; | |
| application/vnd.ms-powerpoint ppt; | |
| application/vnd.wap.wmlc wmlc; | |
| application/vnd.google-earth.kml+xml kml; | |
| application/vnd.google-earth.kmz kmz; | |
| application/x-7z-compressed 7z; | |
| application/x-cocoa cco; | |
| application/x-java-archive-diff jardiff; | |
| application/x-java-jnlp-file jnlp; | |
| application/x-makeself run; | |
| application/x-perl pl pm; | |
| application/x-pilot prc pdb; | |
| application/x-rar-compressed rar; | |
| application/x-redhat-package-manager rpm; | |
| application/x-sea sea; | |
| application/x-shockwave-flash swf; | |
| application/x-stuffit sit; | |
| application/x-tcl tcl tk; | |
| application/x-x509-ca-cert der pem crt; | |
| application/x-xpinstall xpi; | |
| application/xhtml+xml xhtml; | |
| application/xspf+xml xspf; | |
| application/zip zip; | |
| application/octet-stream bin exe dll; | |
| application/octet-stream deb; | |
| application/octet-stream dmg; | |
| application/octet-stream iso img; | |
| application/octet-stream msi msp msm; | |
| application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; | |
| application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; | |
| application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; | |
| audio/midi mid midi kar; | |
| audio/mpeg mp3; | |
| audio/ogg ogg; | |
| audio/x-m4a m4a; | |
| audio/x-realaudio ra; | |
| video/3gpp 3gpp 3gp; | |
| video/mp2t ts; | |
| video/mp4 mp4; | |
| video/mpeg mpeg mpg; | |
| video/quicktime mov; | |
| video/webm webm; | |
| video/x-flv flv; | |
| video/x-m4v m4v; | |
| video/x-mng mng; | |
| video/x-ms-asf asx asf; | |
| video/x-ms-wmv wmv; | |
| video/x-msvideo avi; | |
| } | |
| default_type application/octet-stream; | |
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| # to boost I/O on HDD we can disable access logs | |
| access_log off; | |
| # only log critical errors | |
| error_log /var/log/nginx/error.log crit; | |
| # copies data between one FD and other from within the kernel | |
| # faster then read() + write() | |
| sendfile on; | |
| # send headers in one peace, its better then sending them one by one | |
| tcp_nopush on; | |
| # don't buffer data sent, good for small data bursts in real time | |
| tcp_nodelay on; | |
| # reduce the data that needs to be sent over network | |
| gzip on; | |
| gzip_min_length 10240; | |
| gzip_proxied expired no-cache no-store private auth; | |
| gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml; | |
| gzip_disable msie6; | |
| gzip_static on; | |
| # allow the server to close connection on non responding client, this will free up memory | |
| reset_timedout_connection on; | |
| # request timed out -- default 60 | |
| client_body_timeout 10; | |
| # if client stop responding, free up memory -- default 60 | |
| send_timeout 2; | |
| # server will close connection after this time -- default 75 | |
| keepalive_timeout 30; | |
| # number of requests client can make over keep-alive -- for testing environment | |
| keepalive_requests 100000; | |
| # SECURITY | |
| # https://gist.github.com/plentz/6737338 | |
| # https://mozilla.github.io/server-side-tls/ssl-config-generator/ | |
| # read more here http://tautt.com/best-nginx-configuration-for-security/ | |
| # don't send the nginx version number in error pages and Server header | |
| server_tokens off; | |
| # config to don't allow the browser to render the page inside an frame or iframe | |
| # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
| # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
| # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
| add_header X-Frame-Options SAMEORIGIN; | |
| # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
| # to disable content-type sniffing on some browsers. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
| # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
| # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
| add_header X-Content-Type-Options nosniff; | |
| # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
| # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
| # this particular website if it was disabled by the user. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| add_header X-XSS-Protection "1; mode=block"; | |
| # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
| # you can tell the browser that it can only download content from the domains you explicitly allow | |
| # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
| # https://www.owasp.org/index.php/Content_Security_Policy | |
| # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
| # directives for css and js(if you have inline css or js, you will need to keep it too). | |
| # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
| add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://*.vcmais.com http://*.vcmais.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com https://vcmais-dev.s3.amazonaws.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; | |
| server { | |
| listen 80 default_server; | |
| listen [::]:80 default_server; | |
| # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. | |
| return 301 https://$host$request_uri; | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| root /usr/share/nginx/html; | |
| index index.html index.htm; | |
| # server_name ssltunnel.net; | |
| # rewrite ^ https://www.ssltunnel.net$request_uri? permanent; | |
| ssl on; | |
| ssl_certificate /etc/nginx/ssl/nginx-selfsigned.crt; | |
| ssl_certificate_key /etc/nginx/ssl/nginx-selfsigned.key; | |
| # enable session resumption to improve https performance | |
| # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_timeout 5m; | |
| # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
| ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
| # enables server-side protection from BEAST attacks | |
| # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
| ssl_prefer_server_ciphers on; | |
| # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| # ciphers chosen for forward secrecy and compatibility | |
| # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
| ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | |
| # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
| # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
| # resolver 8.8.8.8; | |
| # ssl_stapling on; | |
| # ssl_trusted_certificate /etc/nginx/ssl/nginx-selfsigned.crt; | |
| # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
| # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
| # ... the rest of your configuration | |
| location / { | |
| try_files $uri$args $uri$args/ /index.html; | |
| } | |
| location = /50x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| # static content: | |
| # - images | |
| # - flash | |
| # - fonts | |
| # - css/js | |
| location ~* \.(?:jpe?g|gif|png|ico|swf|svg|eot|ttf|otf|woff2?|htc|css|js)$ { | |
| expires max; | |
| } | |
| location = /favicon.ico { | |
| log_not_found off; | |
| } | |
| location = /robots.txt { | |
| allow all; | |
| log_not_found off; | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment