dotcore/nginx.conf

## nginx.conf
worker_processes auto;

events {
	use epoll;
	worker_connections 1024;
	multi_accept on;
}

http {
	client_body_buffer_size 8K;
	client_max_body_size 20m;
	client_body_timeout 10s;
	client_header_buffer_size 1k;
	large_client_header_buffers 2 16k;
	client_header_timeout 5s;

	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

	include                 mime.types;
	default_type            application/octet-stream;
	sendfile                on;
	tcp_nodelay             on;
	tcp_nopush              on;
	keepalive_timeout       60;
	gzip                    on;
	gzip_disable            "msie6";
	gzip_min_length 1000;
	gzip_http_version       1.1;
	gzip_vary               on;
	gzip_comp_level         2;
	gzip_proxied            any;
	gzip_types              text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_buffers            16 8k;

	# Security related headers
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-Xss-Protection "1; mode=block";
	# Note the 'always' flag in add_header needs Nginx >= 1.7.5
	add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';" always;

	# more_clear_headers needs on debian nginx-extra
	more_clear_headers 'Server';
	more_clear_headers 'X-Powered-By';

	server_tokens off;

	# Enforce HTTPS
	server {
		listen 80 default_server;
		listen [::]:80 default_server;

		# Only allow specific request methods
		if ($request_method !~ ^(GET|HEAD|POST|DELETE|PUT)$ ) { return 444; }

		# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
		return 301 https://$host$request_uri;
	}

	# HTTPS/HTTP2 Server
	#
	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;

		server_name     example.com;

		ssl                         on;
		ssl_dhparam                 /etc/nginx/ssl/dhparam.pem;

		ssl_certificate             /etc/ssl/certs/example.com.crt;
		ssl_certificate_key         /etc/ssl/private/example.com.key;

		ssl_protocols               TLSv1.2 TLSv1.1 TLSv1;

		ssl_prefer_server_ciphers   on;

		# PCI DSS AND NIST Compliant Cipher Suites
		ssl_ciphers                 "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS";
		ssl_ecdh_curve              secp384r1; # Requires nginx >= 1.1.0

		ssl_session_timeout         1d;
		ssl_session_cache           shared:SSL:10m;
		ssl_session_tickets         off; # Requires nginx >= 1.5.9

		ssl_stapling                on; # Requires nginx >= 1.3.7
		ssl_stapling_verify         on; # Requires nginx => 1.3.7

		# TO ENSURE PROPER OSCP Stapling you need the WHOLE chain in proper order in one PEM
		ssl_trusted_certificate     /etc/ssl/certs/root+intermediate+example.com.pem;

		# Replace DNSIP and DNSIP with your preferred DNS
		resolver                    DNSIP DNSIP2 valid=300s;
		resolver_timeout            5s;

		# SSL Only security headers
		# Note the 'always' flag in add_header needs Nginx >= 1.7.5
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

		# Read first about Content-Security-Policy
		add_header Content-Security-Policy "default-src 'self' https://trusted.domain.com 'unsafe-inline';" always;
		add_header X-Frame-Options SAMEORIGIN always;
		add_header X-Content-Type-Options nosniff always;
		add_header X-Xss-Protection "1; mode=block" always;

		# Read this: https://scotthelme.co.uk/hpkp-http-public-key-pinning/
		# DO NOT ENABLE THIS WITHOUT PROPER HASHES AND BACKUPS
		# add_header Public-Key-Pins 'pin-sha256="YOURHASH"; pin-sha256="YOURBACKUPHASH"; pin-sha256="YOURBACKUPHASH2"; max-age=86400; includeSubdomains' always;

		root /var/www/public;
		index index.html;

		# Only allow specific request methods
		if ($request_method !~ ^(GET|HEAD|POST|DELETE|PUT)$ ) { return 444; }

		# Deny access to specific locations
		location ~ /(\.ht|\.git|\.svn) { deny  all; }

	}
}
	worker_processes auto;

	events {
	use epoll;
	worker_connections 1024;
	multi_accept on;
	}

	http {
	client_body_buffer_size 8K;
	client_max_body_size 20m;
	client_body_timeout 10s;
	client_header_buffer_size 1k;
	large_client_header_buffers 2 16k;
	client_header_timeout 5s;

	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

	include mime.types;
	default_type application/octet-stream;
	sendfile on;
	tcp_nodelay on;
	tcp_nopush on;
	keepalive_timeout 60;
	gzip on;
	gzip_disable "msie6";
	gzip_min_length 1000;
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 2;
	gzip_proxied any;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_buffers 16 8k;

	# Security related headers
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-Xss-Protection "1; mode=block";
	# Note the 'always' flag in add_header needs Nginx >= 1.7.5
	add_header Content-Security-Policy "default-src 'self' 'unsafe-inline';" always;

	# more_clear_headers needs on debian nginx-extra
	more_clear_headers 'Server';
	more_clear_headers 'X-Powered-By';

	server_tokens off;

	# Enforce HTTPS
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	# Only allow specific request methods
	if ($request_method !~ ^(GET\|HEAD\|POST\|DELETE\|PUT)$ ) { return 444; }

	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	return 301 https://$host$request_uri;
	}

	# HTTPS/HTTP2 Server
	#
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name example.com;

	ssl on;
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	ssl_certificate /etc/ssl/certs/example.com.crt;
	ssl_certificate_key /etc/ssl/private/example.com.key;

	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

	ssl_prefer_server_ciphers on;

	# PCI DSS AND NIST Compliant Cipher Suites
	ssl_ciphers "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS";
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9

	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7

	# TO ENSURE PROPER OSCP Stapling you need the WHOLE chain in proper order in one PEM
	ssl_trusted_certificate /etc/ssl/certs/root+intermediate+example.com.pem;

	# Replace DNSIP and DNSIP with your preferred DNS
	resolver DNSIP DNSIP2 valid=300s;
	resolver_timeout 5s;

	# SSL Only security headers
	# Note the 'always' flag in add_header needs Nginx >= 1.7.5
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;

	# Read first about Content-Security-Policy
	add_header Content-Security-Policy "default-src 'self' https://trusted.domain.com 'unsafe-inline';" always;
	add_header X-Frame-Options SAMEORIGIN always;
	add_header X-Content-Type-Options nosniff always;
	add_header X-Xss-Protection "1; mode=block" always;

	# Read this: https://scotthelme.co.uk/hpkp-http-public-key-pinning/
	# DO NOT ENABLE THIS WITHOUT PROPER HASHES AND BACKUPS
	# add_header Public-Key-Pins 'pin-sha256="YOURHASH"; pin-sha256="YOURBACKUPHASH"; pin-sha256="YOURBACKUPHASH2"; max-age=86400; includeSubdomains' always;

	root /var/www/public;
	index index.html;

	# Only allow specific request methods
	if ($request_method !~ ^(GET\|HEAD\|POST\|DELETE\|PUT)$ ) { return 444; }

	# Deny access to specific locations
	location ~ /(\.ht\|\.git\|\.svn) { deny all; }

	}
	}