Last active

Embed URL

HTTPS clone URL

SSH clone URL

You can clone with HTTPS or SSH.

Download Gist

Nginx configuration for securedrop.propublica.org. (Based on Ubuntu 13.10 / Nginx 1.4.1 default config.)

View nginx.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
# This configuration file is provided on an "as is" basis,
# with no warranties or representations, and any use of it
# is at the user's own risk.
#
# You will need to edit domain name information, IP addresses for
# redirection (at the bottom), SSL certificate and key paths, and
# the "Public-Key-Pins" header. Search for any instance of "TODO".
 
user www-data;
worker_processes 4;
pid /run/nginx.pid;
 
events {
worker_connections 768;
}
 
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
 
include /etc/nginx/mime.types;
default_type application/octet-stream;
 
# Turn off logs
access_log off;
error_log off;
 
gzip on;
gzip_disable "msie6";
 
#####
# SSL host
#####
server {
listen 443 ssl;
server_name securedrop.example.com; # TODO
 
# SEE THESE LINKS REGARDING HOW TO CONFIGURE THIS HEADER
# http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09
# http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html
# NOTE: only valid on SSL version of domain
add_header "Public-Key-Pins" "TODO";
 
add_header "Strict-Transport-Security" "max-age=31536000";
 
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
add_header "Pragma" "no-cache";
add_header "Expires" "-1";
add_header "X-Frame-Options" "DENY";
add_header "X-XSS-Protection" "1; mode=block";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-Download-Options" "noopen";
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "Content-Security-Policy" "default-src 'self'";
add_header "X-Content-Security-Policy" "default-src 'self'";
server_tokens off;
 
ssl on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m;
ssl_certificate_key /path/to/ssl_certificate.key; # TODO
ssl_certificate /path/to/ssl_certificate.crt; # TODO
 
ssl_stapling on;
ssl_trusted_certificate /path/to/ssl_certificate.crt; # TODO
 
# Stronger Diffie-Hellman key exchange, using 4096bit key.
# (Default is a server-generated 1024bit key.) Comment out
# if you need to support older than IE8 or Java 7.
# Create this file with:
# openssl dhparam -out /etc/nginx/dhparam4096.pem -rand /dev/urandom 4096
ssl_dhparam /etc/nginx/dhparam4096.pem;
 
###################
# Disable SSLv2 by not including it in this list.
# Add SSLv3 back in if you need to support IE6 (or older) clients
###################
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
###################
# List of 18 or 19 ciphersuites, in descending security order preference:
# 12 TLS 1.2 suites, 4 fallbacks with PFS, 3-4 fallbacks for compatibility.
#
# Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt
#
# If you need to support IE WinXP (or older) clients, add "DES-CBC3-SHA"
# after "kEDH+AES128".
###################
ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';
ssl_prefer_server_ciphers on;
 
root /home/ubuntu/html; # TODO
index index.html index.htm;
charset utf-8;
}
#####
# domain name redirect virtualhost
#####
server {
# Redirect HTTP access to the HTTPS instance.
 
listen 80;
server_name securedrop.example.com; # TODO
rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO
 
add_header "Strict-Transport-Security" "max-age=31536000";
 
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
add_header "Pragma" "no-cache";
add_header "Expires" "-1";
add_header "X-Frame-Options" "DENY";
add_header "X-XSS-Protection" "1; mode=block";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-Download-Options" "noopen";
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "Content-Security-Policy" "default-src 'self'";
add_header "X-Content-Security-Policy" "default-src 'self'";
server_tokens off;
}
#####
# other virtualhosts
#####
server {
# Redirect any other plain HTTP access to this server. (Same as above, but
# without the Strict-Transport-Security header.)
 
listen 80;
# List ALL IPs/hostnames that can get to this machine.
server_name 127.0.0.1 123.123.123.123; # TODO
rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO
 
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
add_header "Pragma" "no-cache";
add_header "Expires" "-1";
add_header "X-Frame-Options" "DENY";
add_header "X-XSS-Protection" "1; mode=block";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-Download-Options" "noopen";
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "Content-Security-Policy" "default-src 'self'";
add_header "X-Content-Security-Policy" "default-src 'self'";
server_tokens off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.