nginx: add more snippets, some placeholders
This commit is contained in:
parent
c79009e541
commit
5b5f53564f
|
@ -134,3 +134,28 @@ if ($http_user_agent ~ "GrabNet") {
|
||||||
if ($block_user_agents = 1) {
|
if ($block_user_agents = 1) {
|
||||||
return 403;
|
return 403;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# # read more here http://tautt.com/best-nginx-configuration-for-security/
|
||||||
|
|
||||||
|
# # don't send the nginx version number in error pages and Server header
|
||||||
|
# server_tokens off;
|
||||||
|
|
||||||
|
# # config to don't allow the browser to render the page inside an frame or iframe
|
||||||
|
# # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
|
||||||
|
# # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
|
||||||
|
# # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
|
||||||
|
# add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
|
||||||
|
# # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
|
||||||
|
# # to disable content-type sniffing on some browsers.
|
||||||
|
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
||||||
|
# # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
|
||||||
|
# # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
|
||||||
|
# # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
|
||||||
|
# add_header X-Content-Type-Options nosniff;
|
||||||
|
|
||||||
|
# # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
|
||||||
|
# # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
|
||||||
|
# # this particular website if it was disabled by the user.
|
||||||
|
# # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
|
||||||
|
# add_header X-XSS-Protection "1; mode=block";
|
||||||
|
|
|
@ -28,4 +28,10 @@ location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ {
|
||||||
access_log off;
|
access_log off;
|
||||||
|
|
||||||
include conf.d/include/proxy.conf;
|
include conf.d/include/proxy.conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# location ~* \.(?:ico|css|js|gif|jpe?g|png|svg|eot|ttf|woff|woff2)$ {
|
||||||
|
# expires 30d;
|
||||||
|
# add_header Pragma public;
|
||||||
|
# add_header Cache-Control "public";
|
||||||
|
# }
|
|
@ -0,0 +1,10 @@
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
gzip_vary on;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_comp_level 6;
|
||||||
|
gzip_buffers 16 8k;
|
||||||
|
gzip_http_version 1.1;
|
||||||
|
gzip_min_length 256;
|
||||||
|
gzip_types application/javascript text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;
|
|
@ -6,4 +6,22 @@ ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
|
ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-
|
||||||
ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
|
ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE
|
||||||
S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
|
S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES';
|
||||||
ssl_prefer_server_ciphers on;
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
# # from https://mozilla.github.io/server-side-tls/ssl-config-generator/
|
||||||
|
|
||||||
|
# ssl_session_timeout 1d;
|
||||||
|
# ssl_session_tickets off;
|
||||||
|
|
||||||
|
# # modern configuration. tweak to your needs.
|
||||||
|
# ssl_protocols TLSv1.2;
|
||||||
|
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
|
# ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
# # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
|
||||||
|
# add_header Strict-Transport-Security max-age=15768000;
|
||||||
|
|
||||||
|
# # OCSP Stapling ---
|
||||||
|
# # fetch OCSP records from URL in ssl_certificate and cache them
|
||||||
|
# ssl_stapling on;
|
||||||
|
# ssl_stapling_verify on;
|
Loading…
Reference in New Issue