From 5b5f53564f1821a9148a197ec309735390ae7f7d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Tue, 18 May 2021 19:40:03 +0200 Subject: [PATCH] nginx: add more snippets, some placeholders --- .../nginx/files/snippets/block-exploits.conf | 25 +++++++++++++++++++ roles/nginx/files/snippets/cache-assets.conf | 8 +++++- roles/nginx/files/snippets/gzip.conf | 10 ++++++++ roles/nginx/files/snippets/ssl-ciphers.conf | 20 ++++++++++++++- 4 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 roles/nginx/files/snippets/gzip.conf diff --git a/roles/nginx/files/snippets/block-exploits.conf b/roles/nginx/files/snippets/block-exploits.conf index 093bda2..0eaa4bb 100644 --- a/roles/nginx/files/snippets/block-exploits.conf +++ b/roles/nginx/files/snippets/block-exploits.conf @@ -134,3 +134,28 @@ if ($http_user_agent ~ "GrabNet") { if ($block_user_agents = 1) { return 403; } + +# # read more here http://tautt.com/best-nginx-configuration-for-security/ + +# # don't send the nginx version number in error pages and Server header +# server_tokens off; + +# # config to don't allow the browser to render the page inside an frame or iframe +# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking +# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri +# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options +# add_header X-Frame-Options SAMEORIGIN; + +# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, +# # to disable content-type sniffing on some browsers. +# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx +# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx +# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 +# add_header X-Content-Type-Options nosniff; + +# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. +# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for +# # this particular website if it was disabled by the user. +# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers +# add_header X-XSS-Protection "1; mode=block"; diff --git a/roles/nginx/files/snippets/cache-assets.conf b/roles/nginx/files/snippets/cache-assets.conf index 07305fa..c12b0e2 100644 --- a/roles/nginx/files/snippets/cache-assets.conf +++ b/roles/nginx/files/snippets/cache-assets.conf @@ -28,4 +28,10 @@ location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ { access_log off; include conf.d/include/proxy.conf; -} \ No newline at end of file +} + +# location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|eot|ttf|woff|woff2)$ { +# expires 30d; +# add_header Pragma public; +# add_header Cache-Control "public"; +# } \ No newline at end of file diff --git a/roles/nginx/files/snippets/gzip.conf b/roles/nginx/files/snippets/gzip.conf new file mode 100644 index 0000000..b925765 --- /dev/null +++ b/roles/nginx/files/snippets/gzip.conf @@ -0,0 +1,10 @@ +gzip on; +gzip_disable "msie6"; + +gzip_vary on; +gzip_proxied any; +gzip_comp_level 6; +gzip_buffers 16 8k; +gzip_http_version 1.1; +gzip_min_length 256; +gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon; diff --git a/roles/nginx/files/snippets/ssl-ciphers.conf b/roles/nginx/files/snippets/ssl-ciphers.conf index e9bae0c..27490cb 100644 --- a/roles/nginx/files/snippets/ssl-ciphers.conf +++ b/roles/nginx/files/snippets/ssl-ciphers.conf @@ -6,4 +6,22 @@ ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE- ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES'; -ssl_prefer_server_ciphers on; \ No newline at end of file +ssl_prefer_server_ciphers on; + +# # from https://mozilla.github.io/server-side-tls/ssl-config-generator/ + +# ssl_session_timeout 1d; +# ssl_session_tickets off; + +# # modern configuration. tweak to your needs. +# ssl_protocols TLSv1.2; +# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; +# ssl_prefer_server_ciphers on; + +# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) +# add_header Strict-Transport-Security max-age=15768000; + +# # OCSP Stapling --- +# # fetch OCSP records from URL in ssl_certificate and cache them +# ssl_stapling on; +# ssl_stapling_verify on; \ No newline at end of file