Last active
March 10, 2023 03:33
-
-
Save coldfire84/47f90bb19a91f218717e0b7632040970 to your computer and use it in GitHub Desktop.
Nginx Config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Hardening as-per https://gist.github.com/plentz/6737338 | |
server_tokens off; | |
# Expires map | |
map $sent_http_content_type $expires { | |
default off; | |
text/html epoch; | |
text/css max; | |
application/javascript max; | |
~image/ max; | |
} | |
server { | |
listen 80 default_server; | |
server_name _; | |
# deny all | |
location /.well-known/ { | |
root /var/www/; | |
} | |
location / { | |
return 403; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
add_header X-Frame-Options DENY; | |
add_header X-Content-Type-Options nosniff; | |
add_header X-XSS-Protection "1; mode=block"; | |
add_header X-Robots-Tag all; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
add_header 'Referrer-Policy' 'no-referrer-when-downgrade'; | |
expires $expires; | |
rewrite_log on; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location ^~ /.well-known/acme-challenge/ { | |
default_type "text/plain"; | |
root /var/www; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80; | |
server_name <mq-dns-name>; | |
include /etc/nginx/includes/letsencrypt.conf; | |
include /etc/nginx/includes/restrictions.conf; | |
location / { | |
return 301 https://<web-dns-name>; | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Redirect http traffic for www to https | |
server { | |
listen 80; | |
server_name <web-dns-name>; | |
include /etc/nginx/includes/letsencrypt.conf; | |
location / { | |
return 301 https://$server_name$request_uri; | |
} | |
} | |
# Express App | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name <web-dns-name>; | |
resolver 127.0.0.11 ipv6=off; | |
include /etc/nginx/includes/header.conf; | |
include /etc/nginx/includes/ssl-params.conf; | |
include /etc/nginx/includes/letsencrypt.conf; | |
include includes/restrictions.conf; | |
ssl_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem; | |
ssl_certificate_key /etc/nginx/ssl/live/<web-dns-name>/privkey.pem; | |
ssl_trusted_certificate /etc/nginx/ssl/live/<web-dns-name>/fullchain.pem; | |
location / { | |
set $backend_express "red"; | |
proxy_pass http://$backend_express:3000; | |
proxy_connect_timeout 1; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Ssl on; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
proxy_redirect off; | |
#proxy_ssl_session_reuse off; | |
#proxy_set_header Host $http_host; | |
#proxy_cache_bypass $http_upgrade; | |
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
#proxy_set_header X-Forwarded-For $remote_addr; | |
} | |
index index.js; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Global restrictions configuration file. | |
# Designed to be included in any server {} block. | |
# location = /favicon.ico { | |
# log_not_found off; | |
# access_log off; | |
#} | |
# location = /robots.txt { | |
# allow all; | |
# log_not_found off; | |
# access_log off; | |
#} | |
# Deny all attempts to access hidden files such as .htaccess, .htpasswd but leave .well-known workign for letsencrypt | |
location ~* /\.(?!well-known\/) { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
# Deny access to any files with a .php extension in the uploads directory | |
# Works in sub-directory installs and also in multisite network | |
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban) | |
location ~* /(?:uploads|files)/.*\.php$ { | |
deny all; | |
} | |
# Hide Apple Touch Icon missing logs | |
location =/apple-touch-icon-precomposed.png { | |
log_not_found off; | |
access_log off; | |
} | |
location =/apple-touch-icon-152x152-precomposed.png { | |
log_not_found off; | |
access_log off; | |
} | |
location =/apple-touch-icon-152x152.png { | |
log_not_found off; | |
access_log off; | |
} | |
location =/apple-touch-icon.png { | |
log_not_found off; | |
access_log off; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
# Ciphers here: https://cipherli.st/ | |
ssl_dhparam /etc/nginx/ssl/dhparams.pem; | |
ssl_protocols TLSv1.2; | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
ssl_prefer_server_ciphers on; | |
ssl_ecdh_curve secp384r1; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_timeout 10m; | |
ssl_session_tickets off; | |
# OCSP Stapling --- | |
ssl_stapling on; | |
ssl_stapling_verify on; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment