nginx: add more snippets, some placeholders

roles/nginx/files/snippets/block-exploits.conf

@@ -134,3 +134,28 @@ if ($http_user_agent ~ "GrabNet") {
 if ($block_user_agents = 1) {
 	return 403;
 }
+
+# # read more here http://tautt.com/best-nginx-configuration-for-security/
+
+# # don't send the nginx version number in error pages and Server header
+# server_tokens off;
+
+# # config to don't allow the browser to render the page inside an frame or iframe
+# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
+# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
+# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+# add_header X-Frame-Options SAMEORIGIN;
+
+# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
+# # to disable content-type sniffing on some browsers.
+# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
+# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
+# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
+# add_header X-Content-Type-Options nosniff;
+
+# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
+# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
+# # this particular website if it was disabled by the user.
+# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
+# add_header X-XSS-Protection "1; mode=block";

roles/nginx/files/snippets/cache-assets.conf

@@ -29,3 +29,9 @@ location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
 
 	include conf.d/include/proxy.conf;
 }
+
+# location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|eot|ttf|woff|woff2)$ {
+#   expires 30d;
+#   add_header Pragma public;
+#   add_header Cache-Control "public";
+# }

roles/nginx/files/snippets/gzip.conf

@@ -0,0 +1,10 @@
+gzip on;
+gzip_disable "msie6";
+
+gzip_vary on;
+gzip_proxied any;
+gzip_comp_level 6;
+gzip_buffers 16 8k;
+gzip_http_version 1.1;
+gzip_min_length 256;
+gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

roles/nginx/files/snippets/ssl-ciphers.conf

@@ -7,3 +7,21 @@ ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GC
 ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
 S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
 ssl_prefer_server_ciphers on;
+
+# # from https://mozilla.github.io/server-side-tls/ssl-config-generator/
+
+# ssl_session_timeout 1d;
+# ssl_session_tickets off;
+
+# # modern configuration. tweak to your needs.
+# ssl_protocols TLSv1.2;
+# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+# ssl_prefer_server_ciphers on;
+
+# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+# add_header Strict-Transport-Security max-age=15768000;
+
+# # OCSP Stapling ---
+# # fetch OCSP records from URL in ssl_certificate and cache them
+# ssl_stapling on;
+# ssl_stapling_verify on;