Last active
July 11, 2023 11:14
-
-
Save mtigas/8601685 to your computer and use it in GitHub Desktop.
Nginx configuration for securedrop.propublica.org. (Based on Ubuntu 13.10 / Nginx 1.4.1 default config.)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This configuration file is provided on an "as is" basis, | |
| # with no warranties or representations, and any use of it | |
| # is at the user's own risk. | |
| # | |
| # You will need to edit domain name information, IP addresses for | |
| # redirection (at the bottom), SSL certificate and key paths, and | |
| # the "Public-Key-Pins" header. Search for any instance of "TODO". | |
| user www-data; | |
| worker_processes 4; | |
| pid /run/nginx.pid; | |
| events { | |
| worker_connections 768; | |
| } | |
| http { | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Turn off logs | |
| access_log off; | |
| error_log off; | |
| gzip on; | |
| gzip_disable "msie6"; | |
| ##### | |
| # SSL host | |
| ##### | |
| server { | |
| listen 443 ssl; | |
| server_name securedrop.example.com; # TODO | |
| # SEE THESE LINKS REGARDING HOW TO CONFIGURE THIS HEADER | |
| # http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 | |
| # http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html | |
| # NOTE: only valid on SSL version of domain | |
| add_header "Public-Key-Pins" "TODO"; | |
| add_header "Strict-Transport-Security" "max-age=31536000"; | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode=block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-src 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| server_tokens off; | |
| ssl on; | |
| ssl_session_cache shared:SSL:5m; | |
| ssl_session_timeout 5m; | |
| ssl_certificate_key /path/to/ssl_certificate.key; # TODO | |
| ssl_certificate /path/to/ssl_certificate.crt; # TODO | |
| ssl_stapling on; | |
| ssl_trusted_certificate /path/to/ssl_certificate.crt; # TODO | |
| # Stronger Diffie-Hellman key exchange, using 4096bit key. | |
| # (Default is a server-generated 1024bit key.) Comment out | |
| # if you need to support older than IE8 or Java 7. | |
| # Create this file with: | |
| # openssl dhparam -out /etc/nginx/dhparam4096.pem -rand /dev/urandom 4096 | |
| ssl_dhparam /etc/nginx/dhparam4096.pem; | |
| ################### | |
| # Disable SSLv2 by not including it in this list. | |
| # Add SSLv3 back in if you need to support IE6 (or older) clients | |
| ################### | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ################### | |
| # List of 18 or 19 ciphersuites, in descending security order preference: | |
| # 12 TLS 1.2 suites, 4 fallbacks with PFS, 3-4 fallbacks for compatibility. | |
| # | |
| # Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt | |
| # | |
| # If you need to support IE WinXP (or older) clients, add "DES-CBC3-SHA" | |
| # after "kEDH+AES128". | |
| ################### | |
| ssl_ciphers 'kEECDH+ECDSA+AESGCM kEECDH+AESGCM kEECDH+ECDSA+AES256 kEECDH+ECDSA+AES128 kEECDH+AES256 kEECDH+AES128 kEDH+AESGCM kEDH+AES256 kEDH+AES128 +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED'; | |
| ssl_prefer_server_ciphers on; | |
| root /home/ubuntu/html; # TODO | |
| index index.html index.htm; | |
| charset utf-8; | |
| } | |
| ##### | |
| # domain name redirect virtualhost | |
| ##### | |
| server { | |
| # Redirect HTTP access to the HTTPS instance. | |
| listen 80; | |
| server_name securedrop.example.com; # TODO | |
| rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO | |
| add_header "Strict-Transport-Security" "max-age=31536000"; | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode=block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-src 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| server_tokens off; | |
| } | |
| ##### | |
| # other virtualhosts | |
| ##### | |
| server { | |
| # Redirect any other plain HTTP access to this server. (Same as above, but | |
| # without the Strict-Transport-Security header.) | |
| listen 80; | |
| # List ALL IPs/hostnames that can get to this machine. | |
| server_name 127.0.0.1 123.123.123.123; # TODO | |
| rewrite ^/(.*) https://securedrop.example.com/$1 permanent; # TODO | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode=block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-src 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| server_tokens off; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment