coldfire84/default.conf

## default.conf
# Hardening as-per https://gist.github.com/plentz/6737338
server_tokens        off;

# Expires map
map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
    ~image/                    max;
}

server {
    listen 80 default_server;
    server_name _;
    # deny all
    location /.well-known/ {
        root /var/www/;
    }
    location / {
        return 403;
    }
}

## header.conf
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag all;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header 'Referrer-Policy' 'no-referrer-when-downgrade';
expires $expires;
rewrite_log on;

## letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www;
}

## mq-alexav3.cb-net.co.uk.conf
server {
    listen 80;
    server_name <mq-dns-name>;

    include /etc/nginx/includes/letsencrypt.conf;
    include /etc/nginx/includes/restrictions.conf;

    location / {
        return 301 https://<web-dns-name>;
    }
}

## nr-alexav3.cb-net.co.uk.conf
# Redirect http traffic for www to https
server {
    listen 80;
    server_name <web-dns-name>;

    include /etc/nginx/includes/letsencrypt.conf;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

# Express App
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name <web-dns-name>;

    resolver 127.0.0.11 ipv6=off;

    include /etc/nginx/includes/header.conf;
    include /etc/nginx/includes/ssl-params.conf;
    include /etc/nginx/includes/letsencrypt.conf;
    include includes/restrictions.conf;

    ssl_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/live/<web-dns-name>/privkey.pem;
    ssl_trusted_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem;

    location / {
               set $backend_express "red";
               proxy_pass http://$backend_express:3000;
               proxy_connect_timeout 1;
               proxy_set_header X-NginX-Proxy true;
               proxy_set_header X-Real-IP $remote_addr;
               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

               proxy_set_header X-Forwarded-Ssl on;
               proxy_set_header X-Forwarded-Proto $scheme;
               proxy_redirect off;

               #proxy_ssl_session_reuse off;
               #proxy_set_header Host $http_host;
               #proxy_cache_bypass $http_upgrade;
               #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
               #proxy_set_header X-Forwarded-For $remote_addr;
    }

    index index.js;
}

## restrictions.conf
# Global restrictions configuration file.
# Designed to be included in any server {} block.
# location = /favicon.ico {
#       log_not_found off;
#       access_log off;
#}

# location = /robots.txt {
#       allow all;
#       log_not_found off;
#       access_log off;
#}

# Deny all attempts to access hidden files such as .htaccess, .htpasswd but leave .well-known workign for letsencrypt
location ~* /\.(?!well-known\/) {
    deny all;
    access_log off;
    log_not_found off;
}

# Deny access to any files with a .php extension in the uploads directory
# Works in sub-directory installs and also in multisite network
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~* /(?:uploads|files)/.*\.php$ {
        deny all;
}

# Hide Apple Touch Icon missing logs
location =/apple-touch-icon-precomposed.png {
        log_not_found off;
        access_log off;
}
location =/apple-touch-icon-152x152-precomposed.png {
        log_not_found off;
        access_log off;
}
location =/apple-touch-icon-152x152.png {
        log_not_found off;
        access_log off;
        }
location =/apple-touch-icon.png {
        log_not_found off;
        access_log off;
}

## ssl-params.conf
# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
# Ciphers here: https://cipherli.st/
ssl_dhparam    /etc/nginx/ssl/dhparams.pem;
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 10m;
ssl_session_tickets off;
# OCSP Stapling ---
ssl_stapling on;
ssl_stapling_verify on;
	# Hardening as-per https://gist.github.com/plentz/6737338
	server_tokens off;

	# Expires map
	map $sent_http_content_type $expires {
	default off;
	text/html epoch;
	text/css max;
	application/javascript max;
	~image/ max;
	}

	server {
	listen 80 default_server;
	server_name _;
	# deny all
	location /.well-known/ {
	root /var/www/;
	}
	location / {
	return 403;
	}
	}
	location ^~ /.well-known/acme-challenge/ {
	default_type "text/plain";
	root /var/www;
	}
	server {
	listen 80;
	server_name <mq-dns-name>;

	include /etc/nginx/includes/letsencrypt.conf;
	include /etc/nginx/includes/restrictions.conf;

	location / {
	return 301 https://<web-dns-name>;
	}
	}
	# Redirect http traffic for www to https
	server {
	listen 80;
	server_name <web-dns-name>;

	include /etc/nginx/includes/letsencrypt.conf;

	location / {
	return 301 https://$server_name$request_uri;
	}
	}

	# Express App
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name <web-dns-name>;

	resolver 127.0.0.11 ipv6=off;

	include /etc/nginx/includes/header.conf;
	include /etc/nginx/includes/ssl-params.conf;
	include /etc/nginx/includes/letsencrypt.conf;
	include includes/restrictions.conf;

	ssl_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem;
	ssl_certificate_key /etc/nginx/ssl/live/<web-dns-name>/privkey.pem;
	ssl_trusted_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem;

	location / {
	set $backend_express "red";
	proxy_pass http://$backend_express:3000;
	proxy_connect_timeout 1;
	proxy_set_header X-NginX-Proxy true;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	proxy_set_header X-Forwarded-Ssl on;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_redirect off;

	#proxy_ssl_session_reuse off;
	#proxy_set_header Host $http_host;
	#proxy_cache_bypass $http_upgrade;
	#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	#proxy_set_header X-Forwarded-For $remote_addr;
	}

	index index.js;
	}
	# Global restrictions configuration file.
	# Designed to be included in any server {} block.
	# location = /favicon.ico {
	# log_not_found off;
	# access_log off;
	#}

	# location = /robots.txt {
	# allow all;
	# log_not_found off;
	# access_log off;
	#}

	# Deny all attempts to access hidden files such as .htaccess, .htpasswd but leave .well-known workign for letsencrypt
	location ~* /\.(?!well-known\/) {
	deny all;
	access_log off;
	log_not_found off;
	}

	# Deny access to any files with a .php extension in the uploads directory
	# Works in sub-directory installs and also in multisite network
	# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
	location ~* /(?:uploads\|files)/.*\.php$ {
	deny all;
	}

	# Hide Apple Touch Icon missing logs
	location =/apple-touch-icon-precomposed.png {
	log_not_found off;
	access_log off;
	}
	location =/apple-touch-icon-152x152-precomposed.png {
	log_not_found off;
	access_log off;
	}
	location =/apple-touch-icon-152x152.png {
	log_not_found off;
	access_log off;
	}
	location =/apple-touch-icon.png {
	log_not_found off;
	access_log off;
	}
	# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	# Ciphers here: https://cipherli.st/
	ssl_dhparam /etc/nginx/ssl/dhparams.pem;
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;
	# OCSP Stapling ---
	ssl_stapling on;
	ssl_stapling_verify on;