Last active
June 8, 2024 17:12
-
-
Save naagaraa/189d5742096d5cde24b9ed2420bc15e2 to your computer and use it in GitHub Desktop.
nginx.vhost.template.php8.2.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
map $http_upgrade $connection_upgrade { | |
default upgrade; | |
'' close; | |
} | |
# Server block for each website or application | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name SITE_DOMAIN; | |
root /var/www/html/PROJECT_DIR/public/; | |
client_max_body_size 1024M; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Content-Type-Options "nosniff"; | |
# Implement Referrer Policy | |
# Control how much referrer information is sent with requests. | |
add_header Referrer-Policy "strict-origin-when-cross-origin"; | |
# Prevent Clickjacking | |
# use the X-Frame-Options header to prevent your site from being included in an iframe on another site. | |
add_header X-Frame-Options "DENY"; | |
# Implement Content Security Policy (CSP) | |
# CSP helps prevent XSS attacks by defining content sources that the browser is allowed to load. Add a CSP header to your server blocks. | |
# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"; | |
# Enable Strict Transport Security (HSTS): | |
# HSTS ensures that web browsers interact with your site only over HTTPS, improving security. | |
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
# Enable Public Key Pinning (HPKP): | |
# HPKP associates a specific cryptographic public key with a particular web server to prevent man-in-the-middle attacks with fraudulent certificates. | |
add_header Public-Key-Pins 'pin-sha256="base64+primary=="; pin-sha256="base64+backup=="; max-age=5184000; includeSubDomains; preload'; | |
# ssl_protocols TLSv1.2; | |
# public certificate | |
ssl_certificate /etc/ssl/SITE_DOMAIN/selfsigned.crt; | |
# CA bundle | |
# enable and modify when required | |
# ssl_trusted_certificate /etc/ssl/SITE_DOMAIN/ca_bundle.crt; | |
# private key | |
ssl_certificate_key /etc/ssl/SITE_DOMAIN/selfsigned.key; | |
ssl_protocols TLSv1.2 TLSv1.3; | |
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; | |
ssl_prefer_server_ciphers off; | |
# ssl | |
ssl_dhparam /etc/ssl/dhparams-2048.pem; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 1d; | |
ssl_session_tickets off; | |
# Enable OCSP Stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 8.8.8.8 8.8.4.4 valid=300s; | |
resolver_timeout 5s; | |
index index.html index.htm index.php; | |
charset utf-8; | |
# web access log | |
access_log /var/log/nginx/SITE_DOMAIN.access.log; | |
error_log /var/log/nginx/SITE_DOMAIN.error.log; | |
# root | |
location / { | |
# rate limiting | |
limit_req zone=one burst=5 nodelay; | |
try_files $uri $uri/ /index.php?$query_string; | |
} | |
# octane | |
#location @octane { | |
# set $suffix ""; | |
# | |
# if ($uri = /index.php) { | |
# set $suffix ?$query_string; | |
# } | |
# | |
# proxy_http_version 1.1; | |
# proxy_set_header Host $http_host; | |
# proxy_set_header Scheme $scheme; | |
# proxy_set_header SERVER_PORT $server_port; | |
# proxy_set_header REMOTE_ADDR $remote_addr; | |
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
# proxy_set_header Upgrade $http_upgrade; | |
# proxy_set_header Connection $connection_upgrade; | |
# | |
# proxy_pass http://127.0.0.1:8000$suffix; | |
#} | |
# restrict http methods | |
if ($request_method !~ ^(GET|POST|PUT|DELETE|HEAD|OPTIONS)$) { | |
return 405; | |
} | |
error_page 404 /index.php; | |
# php | |
location ~ \.php$ { | |
fastcgi_pass unix:/run/php/php8.2-fpm.sock; | |
try_files $uri =404; | |
include fastcgi_params; | |
# fastcgi caching | |
fastcgi_index index.php; | |
# fastcgi_buffers 8 16k; | |
# fastcgi_buffer_size 32k; | |
# FastCGI caching configuration | |
# fastcgi_cache my_cache; | |
fastcgi_cache_valid 200 301 302 5m; | |
fastcgi_cache_methods GET HEAD; | |
fastcgi_cache_bypass $no_cache; | |
fastcgi_no_cache $no_cache; | |
fastcgi_cache_key $scheme$request_method$host$request_uri; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_read_timeout 3600; | |
} | |
# well know | |
location ~ /\.(?!well-known).* { | |
deny all; | |
} | |
# favicon | |
location = /favicon.ico { | |
access_log off; | |
log_not_found off; | |
} | |
# robots | |
location = /robots.txt { | |
access_log off; | |
log_not_found off; | |
} | |
# assets, media | |
location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ { | |
expires 1d; | |
access_log off; | |
} | |
# svg, fonts | |
location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ { | |
add_header Access-Control-Allow-Origin "*"; | |
expires 7d; | |
access_log off; | |
} | |
# fix livewire | |
location = /livewire/livewire.js { | |
expires off; | |
try_files $uri $uri/ /index.php?$query_string; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment