notlmn/nginx.conf

## nginx.conf
# nginx configuration file, mostly gathered from:
# * https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4
# * https://infosec.mozilla.org/guidelines/web_security
# * https://gist.github.com/plentz/6737338
# * https://gist.github.com/mikhailov/3052776

# starting nginx
# nginx -c $(pwd)/nginx.conf -p $(pwd)


# auto-select number of worker processes by default spins up `n` workers
# where `n` is the number of processing cores on the CPU being run on
worker_processes auto;


# don't show nginx version in `server` header
server_tokens off;


events {
  use eapoll;
  worker_connections 2048;
}


http {
  # stop nginx from padding response to 512 bytes (for IE)
  msie_padding off;


  # enable compression via gzip (average mode compression, all files)
  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 5;
  gzip_min_length 1100;
  gzip_buffers 64 8k;
  gzip_types *;


  # Main HTTPS server
  server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;


	# hostnames to be handled by this server
	server_name "localhost" ".example.com";
	resolver "1.1.1.1" "8.8.8.8" "8.8.4.4";

	# ssl configuration
	ssl on;

	ssl_certificate "/path/to/signed_cert_plus_intermediates";
	ssl_certificate_key "/path/to/private_key";

	ssl_session_timeout 1d;
	ssl_session_cache "shared:SSL:10m";
	ssl_session_tickets off;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_prefer_server_ciphers off;
	# Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	# Modern configuration
	# ssl_protocols TLSv1.3;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
    	ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;


	# security headers
	add_header "Strict-Transport-Security" "max-age=15768000; includeSubdomains; preload" always;
	add_header "X-Frame-Options" "SAMEORIGIN" always;
	add_header "X-XSS-Protection" "1; mode=block" always;
	add_header "X-Content-Type-Options" "nosniff" always;
	add_header "Referrer-Policy" "same-origin" always;

	# add CSP and FP per site
	# add_header "Content-Security-Policy" "default-src 'none'; script-src example.com 'unsafe-inline'; style-src example.com 'unsafe-inline'; img-src *" always
	# add_header "Feature-Policy" "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;


	# do this if you are very damn sure
	# proxy_cookie_pass / "/; HTTPOnly; Secure";


	# start proxying from the root directory
	location "/" {
	  # master server that handles all inbound requests
	  proxy_pass "http://127.0.0.1:8080";

	  # need for websocket request upgradation
	  proxy_set_header "Upgrade" $http_upgrade;
	  proxy_set_header "Connection" "upgrade";
	  proxy_set_header "Host" $host;
	  proxy_set_header "X-Real-IP" $remote_addr;

	  # need to tell nginx to pass proxy servers `Server` header back to client
	  # instead of adding its own (like `nginx/1.21.1`)
	  proxy_pass_header "Server";
	}

	# custom HTTP error pages
	error_page 400 "/400.html";
	error_page 500 502 503 504 "/50x.html";
  }


  # HTTP to HTTPS redirect server, all requests to port
  # 80 server will be redirected to port 443 server above
  server {
	listen 80;
	listen [::]:80;

	# hostnames to be handled by this server
	server_name "localhost" ".example.com";

	# reason for the redirect to happen
	add_header "Non-Authoritative-Reason" "HSTS";

	return 301 "https://$host$request_uri";
  }
}
	# nginx configuration file, mostly gathered from:
	# * https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4
	# * https://infosec.mozilla.org/guidelines/web_security
	# * https://gist.github.com/plentz/6737338
	# * https://gist.github.com/mikhailov/3052776

	# starting nginx
	# nginx -c $(pwd)/nginx.conf -p $(pwd)


	# auto-select number of worker processes by default spins up `n` workers
	# where `n` is the number of processing cores on the CPU being run on
	worker_processes auto;


	# don't show nginx version in `server` header
	server_tokens off;


	events {
	use eapoll;
	worker_connections 2048;
	}


	http {
	# stop nginx from padding response to 512 bytes (for IE)
	msie_padding off;


	# enable compression via gzip (average mode compression, all files)
	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 5;
	gzip_min_length 1100;
	gzip_buffers 64 8k;
	gzip_types *;


	# Main HTTPS server
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;


	# hostnames to be handled by this server
	server_name "localhost" ".example.com";
	resolver "1.1.1.1" "8.8.8.8" "8.8.4.4";

	# ssl configuration
	ssl on;

	ssl_certificate "/path/to/signed_cert_plus_intermediates";
	ssl_certificate_key "/path/to/private_key";

	ssl_session_timeout 1d;
	ssl_session_cache "shared:SSL:10m";
	ssl_session_tickets off;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	ssl_prefer_server_ciphers off;
	# Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	# Modern configuration
	# ssl_protocols TLSv1.3;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;


	# security headers
	add_header "Strict-Transport-Security" "max-age=15768000; includeSubdomains; preload" always;
	add_header "X-Frame-Options" "SAMEORIGIN" always;
	add_header "X-XSS-Protection" "1; mode=block" always;
	add_header "X-Content-Type-Options" "nosniff" always;
	add_header "Referrer-Policy" "same-origin" always;

	# add CSP and FP per site
	# add_header "Content-Security-Policy" "default-src 'none'; script-src example.com 'unsafe-inline'; style-src example.com 'unsafe-inline'; img-src *" always
	# add_header "Feature-Policy" "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'" always;


	# do this if you are very damn sure
	# proxy_cookie_pass / "/; HTTPOnly; Secure";


	# start proxying from the root directory
	location "/" {
	# master server that handles all inbound requests
	proxy_pass "http://127.0.0.1:8080";

	# need for websocket request upgradation
	proxy_set_header "Upgrade" $http_upgrade;
	proxy_set_header "Connection" "upgrade";
	proxy_set_header "Host" $host;
	proxy_set_header "X-Real-IP" $remote_addr;

	# need to tell nginx to pass proxy servers `Server` header back to client
	# instead of adding its own (like `nginx/1.21.1`)
	proxy_pass_header "Server";
	}

	# custom HTTP error pages
	error_page 400 "/400.html";
	error_page 500 502 503 504 "/50x.html";
	}


	# HTTP to HTTPS redirect server, all requests to port
	# 80 server will be redirected to port 443 server above
	server {
	listen 80;
	listen [::]:80;

	# hostnames to be handled by this server
	server_name "localhost" ".example.com";

	# reason for the redirect to happen
	add_header "Non-Authoritative-Reason" "HSTS";

	return 301 "https://$host$request_uri";
	}
	}
No results found