leg0ffant/nginx.conf

## nginx.conf
#read more here http://tautt.com/best-nginx-configuration-for-security/

#don't send the nginx version number in error pages and Server header
server_tokens off;

# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking
add_header X-Frame-Options SAMEORIGIN;

# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;

# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
add_header X-XSS-Protection "1; mode=block";

# Server SSL Configuration
server {
	listen 443 ssl default deferred;
	server_name domain.com;

	ssl_certificate /etc/nginx/ssl/star_domain_com.crt;
	ssl_certificate_key /etc/nginx/ssl/star_domain_com.key;

	# enable session resumption to improve https performance
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	ssl_prefer_server_ciphers on;
	# disable SSLv3
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_trusted_certificate /etc/nginx/ssl/star_domain_com.crt;

	# config to enable HSTS
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


        client_body_in_file_only clean;
        client_body_buffer_size 32K;
        client_max_body_size 300M;
        sendfile on;
        send_timeout 720s;
        access_log /var/log/nginx/domain.com.access.log;
        error_log /var/log/nginx/domain.com.error.log;
        root /usr/share/nginx/www/domain.com;
        index index.php index.html index.htm;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

	#the rewrite root location Wordpress
        location / {
                try_files $uri $uri/ /index.php$is_args$args;
                 }

                  # Add trailing slash to */wp-admin requests.
                 rewrite /wp-admin$ $scheme://$host$uri/ permanent;

                 location ~*  \.(jpg|jpeg|png|gif|css|js|ico)$ {
                expires max;
                log_not_found off;
                 }
	# PHP5-FPM SOCKET CONFIGURATION

       location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                try_files $uri =404;
                include fastcgi_params;
                fastcgi_pass unix:/var/run/php5-fpm.sock;
                fastcgi_index index.php;
          }

        # Prevent access to Apache .htaccess/.htpasswd files
        location ~ /\.ht {
            deny  all;
        }
        # Allow access to /wp-admin/ only to a specific IP address
        location ~* wp-admin {
            try_files $uri $uri/ =404;
            allow X.X.X.X.X;
            allow 127.0.0.1;
            deny all;
        }

        # Common deny or internal locations, to help prevent access to not-public areas
        location ~* wp-admin/includes { deny all; }
        location ~* wp-includes/theme-compat/ { deny all; }
        location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; }
        location /wp-content/ { internal; }
        location /wp-includes/ { internal; }
        location ~* wp-config.php { deny all; }


        # Redirect 403 errors to 404 error to fool attackers
        error_page 403 = 404;


}

# redirect all http traffic to https
server {
	listen 80;
	server_name .domain.com;
	rewrite ^ https://$host$request_uri permanent;
}
	#read more here http://tautt.com/best-nginx-configuration-for-security/

	#don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	add_header X-XSS-Protection "1; mode=block";

	# Server SSL Configuration
	server {
	listen 443 ssl default deferred;
	server_name domain.com;

	ssl_certificate /etc/nginx/ssl/star_domain_com.crt;
	ssl_certificate_key /etc/nginx/ssl/star_domain_com.key;

	# enable session resumption to improve https performance
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	ssl_prefer_server_ciphers on;
	# disable SSLv3
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK';

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	resolver 8.8.8.8;
	ssl_stapling on;
	ssl_trusted_certificate /etc/nginx/ssl/star_domain_com.crt;

	# config to enable HSTS
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";


	client_body_in_file_only clean;
	client_body_buffer_size 32K;
	client_max_body_size 300M;
	sendfile on;
	send_timeout 720s;
	access_log /var/log/nginx/domain.com.access.log;
	error_log /var/log/nginx/domain.com.error.log;
	root /usr/share/nginx/www/domain.com;
	index index.php index.html index.htm;

	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	#the rewrite root location Wordpress
	location / {
	try_files $uri $uri/ /index.php$is_args$args;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;

	location ~* \.(jpg\|jpeg\|png\|gif\|css\|js\|ico)$ {
	expires max;
	log_not_found off;
	}
	# PHP5-FPM SOCKET CONFIGURATION

	location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	try_files $uri =404;
	include fastcgi_params;
	fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	}

	# Prevent access to Apache .htaccess/.htpasswd files
	location ~ /\.ht {
	deny all;
	}
	# Allow access to /wp-admin/ only to a specific IP address
	location ~* wp-admin {
	try_files $uri $uri/ =404;
	allow X.X.X.X.X;
	allow 127.0.0.1;
	deny all;
	}

	# Common deny or internal locations, to help prevent access to not-public areas
	location ~* wp-admin/includes { deny all; }
	location ~* wp-includes/theme-compat/ { deny all; }
	location ~* wp-includes/js/tinymce/langs/.*\.php { deny all; }
	location /wp-content/ { internal; }
	location /wp-includes/ { internal; }
	location ~* wp-config.php { deny all; }


	# Redirect 403 errors to 404 error to fool attackers
	error_page 403 = 404;


	}

	# redirect all http traffic to https
	server {
	listen 80;
	server_name .domain.com;
	rewrite ^ https://$host$request_uri permanent;
	}