jonas-haeusler/nginx.conf

## nginx.conf
# TLS configuration is based on Mozillas `modern` config:
# https://ssl-config.mozilla.org/
# https://wiki.mozilla.org/Security/Server_Side_TLS

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

# improve TSL performance by enabling session reuse
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;  # about 40000 sessions
ssl_session_tickets off;

# only enable TLS 1.3 for best security
ssl_protocols TLSv1.3;

# the cipher suites for TLS 1.3 are all strong, so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
ssl_prefer_server_ciphers off;

# enable OCSP stapling to convey certificate revocation information to visitors in a privacy-preserving, scalable manner
# https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

# disable nginx version in header
server_tokens off;


# TODO: adapt CSP header to the sites need
# only allow content that comes from the site's own origin (this excludes subdomains)
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
# https://content-security-policy.com/
add_header Content-Security-Policy "default-src 'self';" always;

# disallow other sites to load this page inside a frame. prevents click jacking
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
add_header X-Frame-Options "SAMEORIGIN" always;

# prevent site from loading when XSS attacks are detected
# WARN: in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. a strong CSP policy is the recommended approach to prevent XSS attacks
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-Xss-Protection "1; mode=block" always;

# MIME types advertised in the `Content-Type` headers should be followed and not changed. prevents MIME type sniffing.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
add_header X-Content-Type-Options "nosniff" always;

# don't send the Referer header for cross-origin requests
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy "same-origin" always;

# tell the browser to automatically upgrade all HTTP requests to HTTPS
# register for preloading at https://hstspreload.org/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

# deny the use of browser features
# https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# https://www.permissionspolicy.com/
add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" always;


# block unknonwn hostsnames, i.e. when server accessed by IP
# requires nginx >= 1.19.4 and openssl >= 1.1.1j
server {
    listen 80 default_server;
    listen [::]:80 default_server;

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    ssl_reject_handshake on;

    return 444;
}
	# TLS configuration is based on Mozillas `modern` config:
	# https://ssl-config.mozilla.org/
	# https://wiki.mozilla.org/Security/Server_Side_TLS

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	# improve TSL performance by enabling session reuse
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m; # about 40000 sessions
	ssl_session_tickets off;

	# only enable TLS 1.3 for best security
	ssl_protocols TLSv1.3;

	# the cipher suites for TLS 1.3 are all strong, so we allow the client to choose, as they will know best if they have support for hardware-accelerated AES
	ssl_prefer_server_ciphers off;

	# enable OCSP stapling to convey certificate revocation information to visitors in a privacy-preserving, scalable manner
	# https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;

	# disable nginx version in header
	server_tokens off;


	# TODO: adapt CSP header to the sites need
	# only allow content that comes from the site's own origin (this excludes subdomains)
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
	# https://content-security-policy.com/
	add_header Content-Security-Policy "default-src 'self';" always;

	# disallow other sites to load this page inside a frame. prevents click jacking
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
	add_header X-Frame-Options "SAMEORIGIN" always;

	# prevent site from loading when XSS attacks are detected
	# WARN: in some cases, XSS protection can create XSS vulnerabilities in otherwise safe websites. a strong CSP policy is the recommended approach to prevent XSS attacks
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
	add_header X-Xss-Protection "1; mode=block" always;

	# MIME types advertised in the `Content-Type` headers should be followed and not changed. prevents MIME type sniffing.
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
	add_header X-Content-Type-Options "nosniff" always;

	# don't send the Referer header for cross-origin requests
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
	add_header Referrer-Policy "same-origin" always;

	# tell the browser to automatically upgrade all HTTP requests to HTTPS
	# register for preloading at https://hstspreload.org/
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

	# deny the use of browser features
	# https://github.com/w3c/webappsec-permissions-policy/blob/main/permissions-policy-explainer.md
	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
	# https://www.permissionspolicy.com/
	add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()" always;


	# block unknonwn hostsnames, i.e. when server accessed by IP
	# requires nginx >= 1.19.4 and openssl >= 1.1.1j
	server {
	listen 80 default_server;
	listen [::]:80 default_server;

	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	ssl_reject_handshake on;

	return 444;
	}