Last active
August 23, 2022 10:20
-
-
Save lifehome/2ed653bb1f3de33dabde9e87d6f23f34 to your computer and use it in GitHub Desktop.
Default NGINX Configurations
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location ~ \.php$ { | |
include /etc/nginx/fastcgi_params; | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
fastcgi_pass unix:/run/php-fpm/php-fpm.sock; | |
fastcgi_param HTTPS true; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# Process settings | |
## | |
user www-data; | |
worker_processes auto; | |
pid /run/nginx.pid; | |
include /etc/nginx/modules-enabled/*.conf; | |
## | |
# Extra nginix dynamic modules injection | |
## | |
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; | |
## | |
# nginx Core Configurations | |
## | |
events { | |
worker_connections 1024; | |
multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
types_hash_max_size 16384; | |
server_tokens off; | |
server_names_hash_bucket_size 128; | |
server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
client_max_body_size 100m; | |
## | |
# Cloudflare visitor IP restoration | |
## | |
set_real_ip_from 103.21.244.0/22; | |
set_real_ip_from 103.22.200.0/22; | |
set_real_ip_from 103.31.4.0/22; | |
set_real_ip_from 104.16.0.0/12; | |
set_real_ip_from 108.162.192.0/18; | |
set_real_ip_from 131.0.72.0/22; | |
set_real_ip_from 141.101.64.0/18; | |
set_real_ip_from 162.158.0.0/15; | |
set_real_ip_from 172.64.0.0/13; | |
set_real_ip_from 173.245.48.0/20; | |
set_real_ip_from 188.114.96.0/20; | |
set_real_ip_from 190.93.240.0/20; | |
set_real_ip_from 197.234.240.0/22; | |
set_real_ip_from 198.41.128.0/17; | |
set_real_ip_from 2400:cb00::/32; | |
set_real_ip_from 2606:4700::/32; | |
set_real_ip_from 2803:f800::/32; | |
set_real_ip_from 2405:b500::/32; | |
set_real_ip_from 2405:8100::/32; | |
set_real_ip_from 2c0f:f248::/32; | |
set_real_ip_from 2a06:98c0::/29; | |
real_ip_header CF-Connecting-IP; | |
## | |
# SSL Settings | |
## | |
ssl_protocols TLSv1.3; | |
ssl_session_tickets off; | |
ssl_dhparam /etc/nginx/dhparam.pem; | |
# SSL Cipher suite configuration | |
ssl_ciphers EECDH+AESGCM:EDH+AESGCM; | |
ssl_ecdh_curve secp384r1; | |
ssl_prefer_server_ciphers on; | |
# OSCP Experimential configuration | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
resolver 1.1.1.1 1.0.0.1 valid=300s; | |
resolver_timeout 5; | |
# Cloudflare Authenticated Origin Pull | |
ssl_trusted_certificate /etc/nginx/origin_ca_ecc_root.pem; | |
ssl_client_certificate /etc/nginx/origin-pull-ca.pem; | |
ssl_verify_client on; | |
# SSL session Experimential configuration | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 10m; | |
keepalive_timeout 70; | |
# Extra HTTP headers for security considerations | |
add_header Content-Security-Policy "default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline'; frame-src https: data:; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: data: blob:; font-src https: data:; connect-src https: wss:; child-src https: blob:; object-src 'none'"; | |
add_header Permissions-Policy "interest-cohort=()"; | |
add_header Referrer-Policy "no-referrer"; | |
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header X-Frame-Options "SAMEORIGIN"; | |
add_header X-XSS-Protection "1; mode=block"; | |
## | |
# nginx-specific ModSecurity Connector | |
## | |
modsecurity on; | |
modsecurity_rules_file /etc/nginx/modsec/main.conf; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
gzip on; | |
## | |
# Default catch-all host | |
## | |
server{ | |
listen 80; | |
listen [::]:80; | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name _; | |
# SSL Certificate configuration | |
ssl_certificate /path/to/certificate.pem; | |
ssl_certificate_key /path/to/certificate.key; | |
return 501; | |
} | |
## | |
# Example PHP website configuration | |
## | |
# Default server rule for plain HTTP transport | |
# This is to ensure HTTPS-only traffic | |
server{ | |
listen 80; # Listen to IPv4 on all interface | |
listen [::]:80; # Listen to IPv6 on all interface | |
server_name example.org; | |
return 301 https://example.org$request_uri; | |
} | |
# Main configuration for HTTPS site | |
server{ | |
listen 443 ssl http2; # Listen to IPv4 with http2 extension on all interface | |
listen [::]:443 ssl http2; # Listen to IPv6 with http2 extension on all interface | |
server_name example.org; # FQDN for the site | |
# SSL Certificate configuration | |
ssl_certificate /path/to/fullchain.pem; | |
ssl_certificate_key /path/to/privkey.pem; | |
root /path/to/script; # Path to script directory | |
index index.php index.html index.htm; # Index filename | |
include /etc/nginx/https-fpm.incl; # HTTPS php-fpm include | |
} | |
## | |
# Virtual sites and additional configurations | |
## | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment