joshefin/!nginx.md Secret

## !nginx.md

      
    Raw
  

              !nginx.md
            
          
    Example of nginx configuration

  
## cache.conf
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;

map $sent_http_content_type $expires {
  default                                 1M;

  # No content
  ""                                      off;

  # CSS
  ~*text/css                              1y;

  # Data interchange
  ~*application/atom\+xml                 1h;
  ~*application/rdf\+xml                  1h;
  ~*application/rss\+xml                  1h;

  ~*application/json                      0;
  ~*application/ld\+json                  0;
  ~*application/schema\+json              0;
  ~*application/geo\+json                 0;
  ~*application/xml                       0;
  ~*text/calendar                         0;
  ~*text/xml                              0;

  # Favicon (cannot be renamed!) and cursor images
  ~*image/vnd.microsoft.icon              1w;
  ~*image/x-icon                          1w;

  # HTML
  ~*text/html                             0;

  # JavaScript
  ~*application/javascript                1y;
  ~*application/x-javascript              1y;
  ~*text/javascript                       1y;

  # Manifest files
  ~*application/manifest\+json            1w;
  ~*application/x-web-app-manifest\+json  0;
  ~*text/cache-manifest                   0;

  # Markdown
  ~*text/markdown                         0;

  # Media files
  ~*audio/                                1M;
  ~*image/                                1M;
  ~*video/                                1M;

  # WebAssembly
  ~*application/wasm                      1y;

  # Web fonts
  ~*font/                                 1M;
  ~*application/vnd.ms-fontobject         1M;
  ~*application/x-font-ttf                1M;
  ~*application/x-font-woff               1M;
  ~*application/font-woff                 1M;
  ~*application/font-woff2                1M;

  # Other
  ~*text/x-cross-domain-policy            1w;
}

expires $expires;

## compression.conf
gzip on;
gzip_comp_level 5;
gzip_min_length 256;
gzip_proxied any;
gzip_vary on;

gzip_types
  application/atom+xml
  application/javascript
  application/json
  application/ld+json
  application/manifest+json
  application/rss+xml
  application/geo+json
  application/vnd.ms-fontobject
  application/x-web-app-manifest+json
  application/xhtml+xml
  application/xml
  application/rdf+xml
  font/otf
  application/wasm
  image/bmp
  image/svg+xml
  text/cache-manifest
  text/css
  text/javascript
  text/plain
  text/markdown
  text/vcard
  text/calendar
  text/vnd.rim.location.xloc
  text/vtt
  text/x-component
  text/x-cross-domain-policy;

## general.conf
location = /favicon.ico {
  log_not_found off;
  access_log off;
}

location = /robots.txt {
  log_not_found off;
  access_log off;
}

## mime.types
types {

  # Data interchange

    application/atom+xml                  atom;
    application/json                      json map topojson;
    application/ld+json                   jsonld;
    application/rss+xml                   rss;
    # Normalize to standard type.
    # https://tools.ietf.org/html/rfc7946#section-12
    application/geo+json                  geojson;
    application/xml                       xml;
    # Normalize to standard type.
    # https://tools.ietf.org/html/rfc3870#section-2
    application/rdf+xml                   rdf;


  # JavaScript

    # Servers should use text/javascript for JavaScript resources.
    # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
    text/javascript                       js mjs;
    application/wasm                      wasm;


  # Manifest files

    application/manifest+json             webmanifest;
    application/x-web-app-manifest+json   webapp;
    text/cache-manifest                   appcache;


  # Media files

    audio/midi                            mid midi kar;
    audio/mp4                             aac f4a f4b m4a;
    audio/mpeg                            mp3;
    audio/ogg                             oga ogg opus;
    audio/x-realaudio                     ra;
    audio/x-wav                           wav;
    audio/x-matroska                      mka;
    image/bmp                             bmp;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    image/jxr                             jxr hdp wdp;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-jng                           jng;
    video/3gpp                            3gp 3gpp;
    video/mp4                             f4p f4v m4v mp4;
    video/mpeg                            mpeg mpg;
    video/ogg                             ogv;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-mng                           mng;
    video/x-ms-asf                        asf asx;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
    video/x-matroska                      mkv mk3d;

    # Serving `.ico` image files with a different media type
    # prevents Internet Explorer from displaying then as images:
    # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

    image/x-icon                          cur ico;


  # Microsoft Office

    application/msword                                                         doc;
    application/vnd.ms-excel                                                   xls;
    application/vnd.ms-powerpoint                                              ppt;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;


  # Web fonts

    font/woff                             woff;
    font/woff2                            woff2;
    application/vnd.ms-fontobject         eot;
    font/ttf                              ttf;
    font/collection                       ttc;
    font/otf                              otf;


  # Other

    application/java-archive              ear jar war;
    application/mac-binhex40              hqx;
    application/octet-stream              bin deb dll dmg exe img iso msi msm msp safariextz;
    application/pdf                       pdf;
    application/postscript                ai eps ps;
    application/rtf                       rtf;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.wap.wmlc              wmlc;
    application/x-7z-compressed           7z;
    application/x-bb-appworld             bbaw;
    application/x-bittorrent              torrent;
    application/x-chrome-extension        crx;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-opera-extension         oex;
    application/x-perl                    pl pm;
    application/x-pilot                   pdb prc;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            crt der pem;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xslt+xml                  xsl;
    application/zip                       zip;
    text/css                              css;
    text/csv                              csv;
    text/html                             htm html shtml;
    text/markdown                         md markdown;
    text/mathml                           mml;
    text/plain                            txt;
    text/vcard                            vcard vcf;
    text/calendar                         ics;
    text/vnd.rim.location.xloc            xloc;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/vtt                              vtt;
    text/x-component                      htc;

}

## nginx.conf
user nginx;
worker_processes auto;

worker_rlimit_nofile 2048;

pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

error_log /var/log/nginx/error.log warn;

http {
    charset utf-8;

    charset_types
        text/css
        text/plain
        text/vnd.wap.wml
        text/javascript
        text/markdown
        text/calendar
        text/x-component
        text/vcard
        text/cache-manifest
        text/vtt
        application/json
        application/manifest+json;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    access_log /var/log/nginx/access.log combined;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    types_hash_max_size 2048;

    keepalive_timeout 300s;

    server_tokens off;
    log_not_found off;
    client_max_body_size 16M;

    include custom/ssl.conf;

    include custom/compression.conf;
    include custom/cache.conf;

    map $sent_http_content_type $x_xss_protection {
        ~*text/html "1; mode=block";
    }

    map $sent_http_content_type $x_frame_options {
        ~*text/html SAMEORIGIN;
    }

    map $sent_http_content_type $referrer_policy {
        ~*text/html "no-referrer-when-downgrade";
    }

    map $sent_http_content_type $content_security_policy {
        ~*text/html "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: secure.gravatar.com s.w.org; font-src 'self' data: fonts.gstatic.com; connect-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
    }

    include /etc/nginx/conf.d/*.conf;
}

## security.conf
location ~* /\.(?!well-known\/) {
  deny all;
}

location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
  deny all;
}

location ~ /\.ht {
  deny all;
}

location ~ /\. {
  deny all;
}

location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
  deny all;
}

location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
  deny all;
}

if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") {
  return 404;
}

add_header X-XSS-Protection $x_xss_protection always;

add_header X-Frame-Options $x_frame_options always;

add_header X-Content-Type-Options nosniff always;

add_header Referrer-Policy $referrer_policy always;

add_header Content-Security-Policy $content_security_policy always;

## ssl.conf
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;

ssl_session_tickets off;

ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
	open_file_cache max=1000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	map $sent_http_content_type $expires {
	default 1M;

	# No content
	"" off;

	# CSS
	~*text/css 1y;

	# Data interchange
	~*application/atom\+xml 1h;
	~*application/rdf\+xml 1h;
	~*application/rss\+xml 1h;

	~*application/json 0;
	~*application/ld\+json 0;
	~*application/schema\+json 0;
	~*application/geo\+json 0;
	~*application/xml 0;
	~*text/calendar 0;
	~*text/xml 0;

	# Favicon (cannot be renamed!) and cursor images
	~*image/vnd.microsoft.icon 1w;
	~*image/x-icon 1w;

	# HTML
	~*text/html 0;

	# JavaScript
	~*application/javascript 1y;
	~*application/x-javascript 1y;
	~*text/javascript 1y;

	# Manifest files
	~*application/manifest\+json 1w;
	~*application/x-web-app-manifest\+json 0;
	~*text/cache-manifest 0;

	# Markdown
	~*text/markdown 0;

	# Media files
	~*audio/ 1M;
	~*image/ 1M;
	~*video/ 1M;

	# WebAssembly
	~*application/wasm 1y;

	# Web fonts
	~*font/ 1M;
	~*application/vnd.ms-fontobject 1M;
	~*application/x-font-ttf 1M;
	~*application/x-font-woff 1M;
	~*application/font-woff 1M;
	~*application/font-woff2 1M;

	# Other
	~*text/x-cross-domain-policy 1w;
	}

	expires $expires;
	gzip on;
	gzip_comp_level 5;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_vary on;

	gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/geo+json
	application/vnd.ms-fontobject
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	application/rdf+xml
	font/otf
	application/wasm
	image/bmp
	image/svg+xml
	text/cache-manifest
	text/css
	text/javascript
	text/plain
	text/markdown
	text/vcard
	text/calendar
	text/vnd.rim.location.xloc
	text/vtt
	text/x-component
	text/x-cross-domain-policy;
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	log_not_found off;
	access_log off;
	}
	types {

	# Data interchange

	application/atom+xml atom;
	application/json json map topojson;
	application/ld+json jsonld;
	application/rss+xml rss;
	# Normalize to standard type.
	# https://tools.ietf.org/html/rfc7946#section-12
	application/geo+json geojson;
	application/xml xml;
	# Normalize to standard type.
	# https://tools.ietf.org/html/rfc3870#section-2
	application/rdf+xml rdf;


	# JavaScript

	# Servers should use text/javascript for JavaScript resources.
	# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
	text/javascript js mjs;
	application/wasm wasm;


	# Manifest files

	application/manifest+json webmanifest;
	application/x-web-app-manifest+json webapp;
	text/cache-manifest appcache;


	# Media files

	audio/midi mid midi kar;
	audio/mp4 aac f4a f4b m4a;
	audio/mpeg mp3;
	audio/ogg oga ogg opus;
	audio/x-realaudio ra;
	audio/x-wav wav;
	audio/x-matroska mka;
	image/bmp bmp;
	image/gif gif;
	image/jpeg jpeg jpg;
	image/jxr jxr hdp wdp;
	image/png png;
	image/svg+xml svg svgz;
	image/tiff tif tiff;
	image/vnd.wap.wbmp wbmp;
	image/webp webp;
	image/x-jng jng;
	video/3gpp 3gp 3gpp;
	video/mp4 f4p f4v m4v mp4;
	video/mpeg mpeg mpg;
	video/ogg ogv;
	video/quicktime mov;
	video/webm webm;
	video/x-flv flv;
	video/x-mng mng;
	video/x-ms-asf asf asx;
	video/x-ms-wmv wmv;
	video/x-msvideo avi;
	video/x-matroska mkv mk3d;

	# Serving `.ico` image files with a different media type
	# prevents Internet Explorer from displaying then as images:
	# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee

	image/x-icon cur ico;


	# Microsoft Office

	application/msword doc;
	application/vnd.ms-excel xls;
	application/vnd.ms-powerpoint ppt;
	application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
	application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;


	# Web fonts

	font/woff woff;
	font/woff2 woff2;
	application/vnd.ms-fontobject eot;
	font/ttf ttf;
	font/collection ttc;
	font/otf otf;


	# Other

	application/java-archive ear jar war;
	application/mac-binhex40 hqx;
	application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
	application/pdf pdf;
	application/postscript ai eps ps;
	application/rtf rtf;
	application/vnd.google-earth.kml+xml kml;
	application/vnd.google-earth.kmz kmz;
	application/vnd.wap.wmlc wmlc;
	application/x-7z-compressed 7z;
	application/x-bb-appworld bbaw;
	application/x-bittorrent torrent;
	application/x-chrome-extension crx;
	application/x-cocoa cco;
	application/x-java-archive-diff jardiff;
	application/x-java-jnlp-file jnlp;
	application/x-makeself run;
	application/x-opera-extension oex;
	application/x-perl pl pm;
	application/x-pilot pdb prc;
	application/x-rar-compressed rar;
	application/x-redhat-package-manager rpm;
	application/x-sea sea;
	application/x-shockwave-flash swf;
	application/x-stuffit sit;
	application/x-tcl tcl tk;
	application/x-x509-ca-cert crt der pem;
	application/x-xpinstall xpi;
	application/xhtml+xml xhtml;
	application/xslt+xml xsl;
	application/zip zip;
	text/css css;
	text/csv csv;
	text/html htm html shtml;
	text/markdown md markdown;
	text/mathml mml;
	text/plain txt;
	text/vcard vcard vcf;
	text/calendar ics;
	text/vnd.rim.location.xloc xloc;
	text/vnd.sun.j2me.app-descriptor jad;
	text/vnd.wap.wml wml;
	text/vtt vtt;
	text/x-component htc;

	}
	user nginx;
	worker_processes auto;

	worker_rlimit_nofile 2048;

	pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	}

	error_log /var/log/nginx/error.log warn;

	http {
	charset utf-8;

	charset_types
	text/css
	text/plain
	text/vnd.wap.wml
	text/javascript
	text/markdown
	text/calendar
	text/x-component
	text/vcard
	text/cache-manifest
	text/vtt
	application/json
	application/manifest+json;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /var/log/nginx/access.log combined;

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	types_hash_max_size 2048;

	keepalive_timeout 300s;

	server_tokens off;
	log_not_found off;
	client_max_body_size 16M;

	include custom/ssl.conf;

	include custom/compression.conf;
	include custom/cache.conf;

	map $sent_http_content_type $x_xss_protection {
	~*text/html "1; mode=block";
	}

	map $sent_http_content_type $x_frame_options {
	~*text/html SAMEORIGIN;
	}

	map $sent_http_content_type $referrer_policy {
	~*text/html "no-referrer-when-downgrade";
	}

	map $sent_http_content_type $content_security_policy {
	~*text/html "default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' data: secure.gravatar.com s.w.org; font-src 'self' data: fonts.gstatic.com; connect-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
	}

	include /etc/nginx/conf.d/*.conf;
	}
	location ~* /\.(?!well-known\/) {
	deny all;
	}

	location ~* (?:#.*#\|\.(?:bak\|conf\|dist\|fla\|in[ci]\|log\|orig\|psd\|sh\|sql\|sw[op])\|~)$ {
	deny all;
	}

	location ~ /\.ht {
	deny all;
	}

	location ~ /\. {
	deny all;
	}

	location ~* ^/(?:wp-content\|wp-includes)/.*\.php$ {
	deny all;
	}

	location ~* ^/wp-content/uploads/.*\.(?:s?html?\|php\|js\|swf)$ {
	deny all;
	}

	if ($uri ~* "^.+(readme\|license\|example)\.(txt\|html)$") {
	return 404;
	}

	add_header X-XSS-Protection $x_xss_protection always;

	add_header X-Frame-Options $x_frame_options always;

	add_header X-Content-Type-Options nosniff always;

	add_header Referrer-Policy $referrer_policy always;

	add_header Content-Security-Policy $content_security_policy always;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 24h;

	ssl_session_tickets off;

	ssl_prefer_server_ciphers on;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;