nginx: add more snippets, some placeholders

This commit is contained in:
Lukáš Kucharczyk 2021-05-18 19:40:03 +02:00
parent c79009e541
commit 5b5f53564f
No known key found for this signature in database
GPG Key ID: 65524498C0196B64
4 changed files with 61 additions and 2 deletions

View File

@ -134,3 +134,28 @@ if ($http_user_agent ~ "GrabNet") {
if ($block_user_agents = 1) { if ($block_user_agents = 1) {
return 403; return 403;
} }
# # read more here http://tautt.com/best-nginx-configuration-for-security/
# # don't send the nginx version number in error pages and Server header
# server_tokens off;
# # config to don't allow the browser to render the page inside an frame or iframe
# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
# add_header X-Frame-Options SAMEORIGIN;
# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# # to disable content-type sniffing on some browsers.
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
# add_header X-Content-Type-Options nosniff;
# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# # this particular website if it was disabled by the user.
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
# add_header X-XSS-Protection "1; mode=block";

View File

@ -29,3 +29,9 @@ location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
include conf.d/include/proxy.conf; include conf.d/include/proxy.conf;
} }
# location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|eot|ttf|woff|woff2)$ {
# expires 30d;
# add_header Pragma public;
# add_header Cache-Control "public";
# }

View File

@ -0,0 +1,10 @@
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

View File

@ -7,3 +7,21 @@ ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GC
ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES'; S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
# # from https://mozilla.github.io/server-side-tls/ssl-config-generator/
# ssl_session_timeout 1d;
# ssl_session_tickets off;
# # modern configuration. tweak to your needs.
# ssl_protocols TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security max-age=15768000;
# # OCSP Stapling ---
# # fetch OCSP records from URL in ssl_certificate and cache them
# ssl_stapling on;
# ssl_stapling_verify on;