Last active
February 19, 2018 22:16
-
-
Save sdrew/2aa338314086d40a31c9 to your computer and use it in GitHub Desktop.
NGINX Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# to generate your dhparam.pem file, run in the terminal | |
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx; | |
worker_processes 4; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 768; | |
# multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
# server_tokens off; | |
server_names_hash_bucket_size 64; | |
# server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
gzip on; | |
gzip_disable "msie6"; | |
# gzip_vary on; | |
# gzip_proxied any; | |
# gzip_comp_level 6; | |
# gzip_buffers 16 8k; | |
# gzip_http_version 1.1; | |
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
## | |
# nginx-naxsi config | |
## | |
# Uncomment it if you installed nginx-naxsi | |
## | |
#include /etc/nginx/naxsi_core.rules; | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
# add_header X-Frame-Options SAMEORIGIN; | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
# add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# add_header X-XSS-Protection "1; mode=block"; | |
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
# you can tell the browser that it can only download content from the domains you explicitly allow | |
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
# https://www.owasp.org/index.php/Content_Security_Policy | |
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
# directives for css and js(if you have inline css or js, you will need to keep it too). | |
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; | |
# Flood Protect | |
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m; | |
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=10r/s; | |
server { | |
limit_conn conn_limit_per_ip 10; | |
limit_req zone=req_limit_per_ip burst=10 nodelay; | |
} | |
## | |
# Virtual Host Configs | |
## | |
ssl_prefer_server_ciphers On; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # SSLv3 | |
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
ssl_dhparam /etc/nginx/ssl/dhparam.pem; | |
# SSL Stapling - Certificate file must include the CA intermediate certificates. If multiple CAs, move into virtual host config. | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /etc/nginx/ssl/stapling.trusted.crt; | |
resolver 8.8.4.4 8.8.8.8 valid=300s; | |
resolver_timeout 10s; | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream example-upstream { | |
server unix:/tmp/.unicorn.sock.0 fail_timeout=0; | |
server unix:/tmp/.unicorn.sock.1 fail_timeout=0; | |
} | |
log_format example_log '$host $remote_addr [$time_local] "$request" $status $request_length "$http_referer" "$http_user_agent" $request_time'; | |
map $scheme $example_ssl { | |
default off; | |
https on; | |
} | |
server { | |
listen 80; | |
server_name sub.example.com; | |
rewrite ^ https://$server_name$request_uri? permanent; | |
} | |
server { | |
listen 443 ssl; | |
server_name sub.example.com; # all accept | |
ssl_certificate /srv/ssl/example.crt; | |
ssl_certificate_key /srv/ssl/example.key; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; | |
access_log /var/log/nginx/example.access.log; | |
error_log /var/log/nginx/example.error.log; | |
client_max_body_size 3M; | |
root /var/www/example/latest/public; | |
location ~ "^/assets/(.*/)*.*-[0-9a-f]{32}.*" { | |
gzip_static on; # to serve pre-gzipped version | |
expires 1y; | |
add_header Cache-Control public; | |
add_header ETag ""; | |
break; | |
} | |
location ~ ^/assets/ { | |
gzip_static on; # to serve pre-gzipped version | |
add_header Cache-Control public; | |
add_header ETag ""; | |
break; | |
} | |
location = /favicon.ico { | |
add_header Cache-Control public; | |
expires modified +30d; | |
} | |
location / { | |
try_files $uri @example; | |
} | |
location @example { | |
proxy_set_header HOST $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $remote_addr; | |
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; | |
proxy_set_header X-Forwarded-Ssl $example_ssl; | |
proxy_pass http://example-upstream; | |
proxy_redirect off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment