dustyfresh/default.conf

## default.conf
# Security enhancements and custom Nginx server header
#
# Requirements:
# $ apt install nginx vim
# $ apt install libnginx-mod-http-headers-more-filter
# $ vim /etc/nginx/sites-enabled/default
#
# Further reading http://docs.hardentheworld.org/Applications/Nginx/
#
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _changeme_;
        server_tokens off;

        # don't forget you need the nginx more headers package
        # apt install libnginx-mod-http-headers-more-filter
        more_set_headers    "Server: _changeme_";

        # disabled directory indexing
        autoindex off;

        # https://nginx.org/en/docs/http/ngx_http_ssi_module.html
        ssi off;

        # Enables XSS protection
        add_header X-XSS-Protection "1; mode=block";

        # prevent browser from interpreting files as something else than
        # declared by the content type in the http header
        add_header X-Content-Type-Options nosniff;

        # Deny illegal Host headers.
        if ($host !~* ^(_changeme_)$ ) {
            return 444;
        }

        # Security enhancements
        location / {
                try_files $uri $uri/ =404;
                if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; }
                if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; }
        }

        # Do not return specific nginx error responses, instead we return a newline character
        error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
        location  /error {
            return 200 '\n';
            add_header Content-Type text/plain;
        }
}

server {
        listen 443 ssl;
        listen [::]:443 ssl;

        ssl on;
        ssl_certificate /etc/nginx/ssl/cert;
        ssl_certificate_key /etc/nginx/ssl/key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";


        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name _changeme_;
        server_tokens off;

        # don't forget you need the nginx more headers package
        # apt install libnginx-mod-http-headers-more-filter
        more_set_headers    "Server: _changeme_";

        # disabled directory indexing
        autoindex off;

        # https://nginx.org/en/docs/http/ngx_http_ssi_module.html
        ssi off;

        # Enables XSS protection
        add_header X-XSS-Protection "1; mode=block";

        # prevent browser from interpreting files as something else than
        # declared by the content type in the http header
        add_header X-Content-Type-Options nosniff;

        # Deny illegal Host headers.
        if ($host !~* ^(_changeme_)$ ) {
            return 444;
        }

        # Security enhancements
        location / {
                try_files $uri $uri/ =404;
                if ($request_uri ~* '\.\.\/|\-\-|union|<|>|\'|\"|;|eval|%|passwd|null|busybox|wget|shell|\.sh|wget') { return 444; }
                if ($http_user_agent ~* 'bot|acunetix|burp|requests|perl|python|java|curl|wget|scan|grab|php|go\-|nikto|map') { return 444; }
        }

        # Do not return specific nginx error responses, instead we return a newline character
        error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
        location  /error {
            return 200 '\n';
            add_header Content-Type text/plain;
        }
}
	# Security enhancements and custom Nginx server header
	#
	# Requirements:
	# $ apt install nginx vim
	# $ apt install libnginx-mod-http-headers-more-filter
	# $ vim /etc/nginx/sites-enabled/default
	#
	# Further reading http://docs.hardentheworld.org/Applications/Nginx/
	#
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _changeme_;
	server_tokens off;

	# don't forget you need the nginx more headers package
	# apt install libnginx-mod-http-headers-more-filter
	more_set_headers "Server: _changeme_";

	# disabled directory indexing
	autoindex off;

	# https://nginx.org/en/docs/http/ngx_http_ssi_module.html
	ssi off;

	# Enables XSS protection
	add_header X-XSS-Protection "1; mode=block";

	# prevent browser from interpreting files as something else than
	# declared by the content type in the http header
	add_header X-Content-Type-Options nosniff;

	# Deny illegal Host headers.
	if ($host !~* ^(_changeme_)$ ) {
	return 444;
	}

	# Security enhancements
	location / {
	try_files $uri $uri/ =404;
	if ($request_uri ~* '\.\.\/\|\-\-\|union\|<\|>\|\'\|\"\|;\|eval\|%\|passwd\|null\|busybox\|wget\|shell\|\.sh\|wget') { return 444; }
	if ($http_user_agent ~* 'bot\|acunetix\|burp\|requests\|perl\|python\|java\|curl\|wget\|scan\|grab\|php\|go\-\|nikto\|map') { return 444; }
	}

	# Do not return specific nginx error responses, instead we return a newline character
	error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
	location /error {
	return 200 '\n';
	add_header Content-Type text/plain;
	}
	}

	server {
	listen 443 ssl;
	listen [::]:443 ssl;

	ssl on;
	ssl_certificate /etc/nginx/ssl/cert;
	ssl_certificate_key /etc/nginx/ssl/key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";


	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name _changeme_;
	server_tokens off;

	# don't forget you need the nginx more headers package
	# apt install libnginx-mod-http-headers-more-filter
	more_set_headers "Server: _changeme_";

	# disabled directory indexing
	autoindex off;

	# https://nginx.org/en/docs/http/ngx_http_ssi_module.html
	ssi off;

	# Enables XSS protection
	add_header X-XSS-Protection "1; mode=block";

	# prevent browser from interpreting files as something else than
	# declared by the content type in the http header
	add_header X-Content-Type-Options nosniff;

	# Deny illegal Host headers.
	if ($host !~* ^(_changeme_)$ ) {
	return 444;
	}

	# Security enhancements
	location / {
	try_files $uri $uri/ =404;
	if ($request_uri ~* '\.\.\/\|\-\-\|union\|<\|>\|\'\|\"\|;\|eval\|%\|passwd\|null\|busybox\|wget\|shell\|\.sh\|wget') { return 444; }
	if ($http_user_agent ~* 'bot\|acunetix\|burp\|requests\|perl\|python\|java\|curl\|wget\|scan\|grab\|php\|go\-\|nikto\|map') { return 444; }
	}

	# Do not return specific nginx error responses, instead we return a newline character
	error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 420 422 423 424 426 428 429 431 444 449 450 451 500 501 502 503 504 505 506 507 508 509 510 511 /error;
	location /error {
	return 200 '\n';
	add_header Content-Type text/plain;
	}
	}