Skip to content

Instantly share code, notes, and snippets.

@tsucaet
Last active March 21, 2016 16:29
Show Gist options
  • Save tsucaet/481fc94f6f6bd381865b to your computer and use it in GitHub Desktop.
Save tsucaet/481fc94f6f6bd381865b to your computer and use it in GitHub Desktop.
Nginx Lucee Mura configuration
user nginx;
worker_processes 2;
error_log /var/log/nginx/error.log error;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
# server_names_hash_bucket_size controls the maximum length of a virtual host entry (ie the length of the domain name).
server_names_hash_bucket_size 64;
client_max_body_size 10M; # allows file uploads up to 10 megabytes
# Set index files
index index.cfm index.htm;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
sendfile on;
server_tokens off; ## do not send nginx version
## Compression
gzip on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/x-javascript application/javascript text/javascript text/xml application/xml application/xml+rss;
gzip_vary on;
server {
listen 80;
listen [::]:80; #when ipv6 is enabled;
listen 443 ssl;
listen [::]:443 ssl; #when ipv6 is enabled;
server_name www.domain.com;
root /var/www/domain.com/html;
#Enable Nginx Status Page
location /nginx_status {
stub_status on∏ access_log off;
allow <myLocalIPAddress>;
deny all;
}
include include.d/ssl.conf;
keepalive_timeout 20; #20 seconds
include include.d/security-headers.conf;
location / {
try_files $uri $uri/ @rewrites;
}
#set indexfileinurls=0 in Mura's settings.ini.cfm
location @rewrites {
rewrite ^/(.*)? /index.cfm/$1 last;
rewrite ^ /index.cfm last;
}
access_log /var/log/nginx/domain.com/access.log;
error_log /var/log/nginx/domain.com/error.log error;
include include.d/common.conf;
# Restrict access to admin of Lucee
location ~* /lucee/(admin|doc)/ {
## allow local IPs and deny all others
allow <myLocalIpAddress>;
allow ::1;
allow 127.0.0.1;
deny all;
include include.d/proxy-params;
}
# Main Railo/Lucee proxy handler
location ~ \.(cfm|cfml|cfc|jsp|cfr)(.*)$ {
include include.d/proxy-params;
}
}
}
# Some basic cache-control for static files to be sent to the browser
location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm|js|css)$ {
expires 1M;
#expires modified +90d;
access_log off;
add_header Pragma public;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
}
location ~ /WEB-INF/ { access_log off; log_not_found off; deny all; }
location ~ /META-INF/ { access_log off; log_not_found off; deny all; }
location ~ /META-INF/ { return 404; }
location ~ /WEB-INF/ { return 404; }
location ~ \.config$ { return 404; }
location ~ /\. { return 404; } ## e.g. .htaccess, .gitignore etc.
location ~ ~$ { return 404; }
location ~ \.aspx?$ { return 404; } ## most likely hackers testing the site
location ~ \.php$ { return 404; }
# this prevents hidden files (beginning with a period) from being served
location ~ /\. {
access_log off; log_not_found off; deny all;
}
# Do not log missing favicon.ico errors
location ^/(favicon\.ico|apple-touch-icon.*\.png)$ {
access_log off; log_not_found off;
}
location = /robots.txt {
access_log off; log_not_found off;
}
# Point Nginx to Tomcat/Railo
proxy_pass http://127.0.0.1:8888;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
expires epoch;
##** if connecting to Tomcat, use Tomcat's RemoteIpValve to resolve CGI.REMOTE_ADDR, CGI.SERVER_NAME, and CGI.SERVER_PORT_SECURE
##** <Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" remoteIpHeader="X-Forwarded-For" protocolHeaderHttpsValue="https" />
#see https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# If you are able, you should consider enabling HSTS (HTTP Strict Transport Security) mechanism, which let browsers to communicate with your websites only over HTTPS protoocl.
# This mechanism is very important to reduce man in the middle attacks, for example. In order to enable HSTS on Nginx, you should need to add this code to your virtual host or server block of your site:
# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
# Turn on SSL; Specify certificate & key
# cert-1234.domain.com.pem (concatenation of signed certificate + intermediate certs (ROOT cert not needed))
ssl_certificate /etc/nginx/ssl/certs/cert-1234.domain.com.pem;
ssl_certificate_key /etc/nginx/ssl/private/domain.com.key;
# error_page 497 allows for handling a redirect from HTTP to another URL (just a redirect to HTTPS)
#error_page 497 https://$host:$server_port$request_uri;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
# Forward Secrecy & Diffie Hellman Ephemeral Parameters
# With Forward Secrecy, if an attacker gets a hold of the server's private key, it will not be able to decrypt past communications. The private key is only used to sign the DH handshake, which does not reveal the pre-master key. Diffie-Hellman ensures that the pre-master keys never leave the client and the server, and cannot be intercepted by a MITM.
# All versions of nginx as of 1.4.4 rely on OpenSSL for input parameters to Diffie-Hellman (DH). Unfortunately, this means that Ephemeral Diffie-Hellman (DHE) will use OpenSSL's defaults, which include a 1024-bit key for the key-exchange. Since we're using a 2048-bit certificate, DHE clients will use a weaker key-exchange than non-ephemeral DH clients.
# We need generate a stronger DHE parameter with this command 'openssl dhparam -out dhparam.pem 4096' (in /etc/nginx/ssl/certs)
ssl_dhparam /etc/nginx/ssl/certs/dhparam.pem;
ssl_session_cache shared:SSL:10m;
#ssl_session_cache off;
ssl_session_timeout 10m;
# Enable OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s; #Google public DNS
resolver_timeout 5s;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment