davidpanzarella/ nginx.conf

## nginx.conf
user  nginx;
worker_processes  2;

error_log  /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    # server_names_hash_bucket_size controls the maximum length of a virtual host entry (ie the length of the domain name).
    server_names_hash_bucket_size 64;
    client_max_body_size 10M; # allows file uploads up to 10 megabytes
    # Set index files
    index index.cfm index.htm;
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  off;
    sendfile    on;
    server_tokens off;  ## do not send nginx version

    ## Compression
    gzip on;
    gzip_comp_level  2;
    gzip_min_length  1000;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css application/json application/x-javascript application/javascript text/javascript text/xml application/xml application/xml+rss;
    gzip_vary on;

    server {
        listen  80;
        listen [::]:80; #when ipv6 is enabled;
        listen  443 ssl;
        listen [::]:443 ssl; #when ipv6 is enabled;
        server_name  www.domain.com;

        root /var/www/domain.com/html;

        #Enable Nginx Status Page
        location /nginx_status {
              stub_status on∏          access_log off;
              allow <myLocalIPAddress>;
              deny all;
            }

        include include.d/ssl.conf;

        keepalive_timeout   20; #20 seconds

        include include.d/security-headers.conf;

        location / {
          try_files $uri $uri/ @rewrites;
        }

        #set indexfileinurls=0 in Mura's settings.ini.cfm
        location @rewrites {
          rewrite ^/(.*)? /index.cfm/$1 last;
          rewrite ^ /index.cfm last;
        }


        access_log /var/log/nginx/domain.com/access.log;
        error_log /var/log/nginx/domain.com/error.log error;

        include include.d/common.conf;

        # Restrict access to admin of Lucee
        location ~* /lucee/(admin|doc)/ {
          ## allow local IPs and deny all others
          allow   <myLocalIpAddress>;
          allow   ::1;
          allow   127.0.0.1;
          deny    all;
          include include.d/proxy-params;
        }

        # Main Railo/Lucee proxy handler
        location ~ \.(cfm|cfml|cfc|jsp|cfr)(.*)$ {
            include include.d/proxy-params;
        }
    }
}

## common.conf
# Some basic cache-control for static files to be sent to the browser
location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|js|css)$ {
    expires 1M;
    #expires modified +90d;
    access_log off;
    add_header Pragma public;
    add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ /WEB-INF/  { access_log off; log_not_found off; deny all; }
location ~ /META-INF/  { access_log off; log_not_found off; deny all; }
location ~ /META-INF/ { return 404; }
location ~ /WEB-INF/ { return 404; }
location ~ \.config$ { return 404; }
location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
location ~ ~$ { return 404; }
location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
location ~ \.php$ { return 404; }
# this prevents hidden files (beginning with a period) from being served
location ~ /\. {
    access_log off; log_not_found off; deny all;
}
# Do not log missing favicon.ico errors
location ^/(favicon\.ico|apple-touch-icon.*\.png)$ {
  	access_log off; log_not_found off;
}
location = /robots.txt  {
	access_log off; log_not_found off;
}

## proxy-params
# Point Nginx to Tomcat/Railo
proxy_pass http://127.0.0.1:8888;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />

## security-headers.conf
#see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl.
# This mechanism is very important to reduce man in the middle attacks, for example. In order to enable HSTS on Nginx, you should need to add this code to your virtual host or server block of your site:
# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";

## ssl.conf
# Turn on SSL; Specify certificate & key
# cert-1234.domain.com.pem (concatenation of signed certificate + intermediate certs (ROOT cert not needed))
ssl_certificate      /etc/nginx/ssl/certs/cert-1234.domain.com.pem;
ssl_certificate_key  /etc/nginx/ssl/private/domain.com.key;
# error_page 497 allows for handling a redirect from HTTP to another URL (just a redirect to HTTPS)
#error_page 497  https://$host:$server_port$request_uri;
ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers                 EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers   on;
# Forward Secrecy & Diffie Hellman Ephemeral Parameters
# With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.
# All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. Since we're using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.
# We need generate a stronger DHE parameter with this command 'openssl dhparam -out dhparam.pem 4096' (in /etc/nginx/ssl/certs)
ssl_dhparam /etc/nginx/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
#ssl_session_cache off;
ssl_session_timeout 10m;
# Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s; #Google public DNS
resolver_timeout 5s;
	user nginx;
	worker_processes 2;

	error_log /var/log/nginx/error.log error;
	pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	}

	http {
	# server_names_hash_bucket_size controls the maximum length of a virtual host entry (ie the length of the domain name).
	server_names_hash_bucket_size 64;
	client_max_body_size 10M; # allows file uploads up to 10 megabytes
	# Set index files
	index index.cfm index.htm;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';
	access_log off;
	sendfile on;
	server_tokens off; ## do not send nginx version

	## Compression
	gzip on;
	gzip_comp_level 2;
	gzip_min_length 1000;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain text/css application/json application/x-javascript application/javascript text/javascript text/xml application/xml application/xml+rss;
	gzip_vary on;

	server {
	listen 80;
	listen [::]:80; #when ipv6 is enabled;
	listen 443 ssl;
	listen [::]:443 ssl; #when ipv6 is enabled;
	server_name www.domain.com;

	root /var/www/domain.com/html;

	#Enable Nginx Status Page
	location /nginx_status {
	stub_status on∏ access_log off;
	allow <myLocalIPAddress>;
	deny all;
	}

	include include.d/ssl.conf;

	keepalive_timeout 20; #20 seconds

	include include.d/security-headers.conf;

	location / {
	try_files $uri $uri/ @rewrites;
	}

	#set indexfileinurls=0 in Mura's settings.ini.cfm
	location @rewrites {
	rewrite ^/(.*)? /index.cfm/$1 last;
	rewrite ^ /index.cfm last;
	}


	access_log /var/log/nginx/domain.com/access.log;
	error_log /var/log/nginx/domain.com/error.log error;

	include include.d/common.conf;

	# Restrict access to admin of Lucee
	location ~* /lucee/(admin\|doc)/ {
	## allow local IPs and deny all others
	allow <myLocalIpAddress>;
	allow ::1;
	allow 127.0.0.1;
	deny all;
	include include.d/proxy-params;
	}

	# Main Railo/Lucee proxy handler
	location ~ \.(cfm\|cfml\|cfc\|jsp\|cfr)(.*)$ {
	include include.d/proxy-params;
	}
	}
	}
	# Some basic cache-control for static files to be sent to the browser
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|gz\|svg\|svgz\|ttf\|otf\|woff\|eot\|mp4\|ogg\|ogv\|webm\|js\|css)$ {
	expires 1M;
	#expires modified +90d;
	access_log off;
	add_header Pragma public;
	add_header Cache-Control "public, must-revalidate, proxy-revalidate";
	}
	location ~ /WEB-INF/ { access_log off; log_not_found off; deny all; }
	location ~ /META-INF/ { access_log off; log_not_found off; deny all; }
	location ~ /META-INF/ { return 404; }
	location ~ /WEB-INF/ { return 404; }
	location ~ \.config$ { return 404; }
	location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
	location ~ ~$ { return 404; }
	location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
	location ~ \.php$ { return 404; }
	# this prevents hidden files (beginning with a period) from being served
	location ~ /\. {
	access_log off; log_not_found off; deny all;
	}
	# Do not log missing favicon.ico errors
	location ^/(favicon\.ico\|apple-touch-icon.*\.png)$ {
	access_log off; log_not_found off;
	}
	location = /robots.txt {
	access_log off; log_not_found off;
	}
	# Point Nginx to Tomcat/Railo
	proxy_pass http://127.0.0.1:8888;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;
	expires epoch;
	##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
	##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />
	#see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl.
	# This mechanism is very important to reduce man in the middle attacks, for example. In order to enable HSTS on Nginx, you should need to add this code to your virtual host or server block of your site:
	# tell users to go to SSL version next time
	add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	# Turn on SSL; Specify certificate & key
	# cert-1234.domain.com.pem (concatenation of signed certificate + intermediate certs (ROOT cert not needed))
	ssl_certificate /etc/nginx/ssl/certs/cert-1234.domain.com.pem;
	ssl_certificate_key /etc/nginx/ssl/private/domain.com.key;
	# error_page 497 allows for handling a redirect from HTTP to another URL (just a redirect to HTTPS)
	#error_page 497 https://$host:$server_port$request_uri;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
	ssl_prefer_server_ciphers on;
	# Forward Secrecy & Diffie Hellman Ephemeral Parameters
	# With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.
	# All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. Since we're using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.
	# We need generate a stronger DHE parameter with this command 'openssl dhparam -out dhparam.pem 4096' (in /etc/nginx/ssl/certs)
	ssl_dhparam /etc/nginx/ssl/certs/dhparam.pem;
	ssl_session_cache shared:SSL:10m;
	#ssl_session_cache off;
	ssl_session_timeout 10m;
	# Enable OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s; #Google public DNS
	resolver_timeout 5s;