167 lines
5.7 KiB
Text
167 lines
5.7 KiB
Text
|
# vim: ft=nginx
|
||
|
snippet l80
|
||
|
listen [::]:80 ipv6only=off;
|
||
|
$0
|
||
|
|
||
|
# Listen statements when using multiple http server blocks
|
||
|
snippet l80-multi
|
||
|
listen [::]:80 default_server;
|
||
|
listen 80 default_server;
|
||
|
$0
|
||
|
|
||
|
snippet l443
|
||
|
listen [::]:443 ipv6only=off ssl http2 default_server;
|
||
|
$0
|
||
|
|
||
|
# Listen statements when using multiple ssl server blocks
|
||
|
snippet l443-multi
|
||
|
listen [::]:443 ssl http2 default_server;
|
||
|
listen 443 ssl http2 default_server;
|
||
|
$0
|
||
|
|
||
|
# Cipher suites are taken and adapted from Mozilla's recommendations
|
||
|
# https://wiki.mozilla.org/Security/Server_Side_TLS
|
||
|
#
|
||
|
# Paranoid mode
|
||
|
snippet ciphers-paranoid
|
||
|
# Paranoid ciphers, 256bit minimum, prefer ChaCha20/ Poly1305, bad compatibility
|
||
|
# No Android 5+6 (4.4 works), Chrome < 51, Firefox < 49, IE < 11, Java 6-8, GoogleBot
|
||
|
ssl_protocols TLSv1.2;
|
||
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
|
||
|
$0
|
||
|
|
||
|
# Mozilla modern
|
||
|
snippet ciphers-modern
|
||
|
# High-security ciphers (elliptic curves), less compatibility
|
||
|
# No IE < 10, OpenSSL-0.9.8, Safari < 7, Android < 4.4
|
||
|
ssl_protocols TLSv1.1 TLSv1.2;
|
||
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||
|
$0
|
||
|
|
||
|
# Mozilla intermediate (Removed DES for more security)
|
||
|
snippet ciphers-compat
|
||
|
# Medium-security ciphers with good compatibility (Weak: SHA)
|
||
|
# No IE on WinXP
|
||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
|
||
|
$0
|
||
|
|
||
|
# Mozilla old (Removed DSS, HIGH, SEED for more security)
|
||
|
snippet ciphers-low
|
||
|
# Low-security ciphers (Weak: DES, SHA)
|
||
|
# No IE6, Java6
|
||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||
|
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!KRB5-DES-CBC3-SHA:!SRP:!DSS';
|
||
|
$0
|
||
|
|
||
|
snippet ssl-options
|
||
|
# SSL certificate
|
||
|
ssl_certificate /etc/nginx/certs/${4:www.example.com}.crt;
|
||
|
ssl_certificate_key /etc/nginx/certs/${5:www.example.com}.key;
|
||
|
# ssl_dhparam /etc/nginx/certs/dhparam.pem;
|
||
|
|
||
|
ssl_prefer_server_ciphers on;
|
||
|
ssl_stapling off;
|
||
|
ssl_stapling_verify off;
|
||
|
ssl_session_cache 'shared:SSL:10m';
|
||
|
ssl_session_tickets off;
|
||
|
|
||
|
# Enable HSTS (1 year) and some security options
|
||
|
add_header Strict-Transport-Security 'max-age=31536000 includeSubDomains; preload;';
|
||
|
$0
|
||
|
|
||
|
snippet security-headers
|
||
|
add_header X-Frame-Options 'DENY';
|
||
|
add_header X-Content-Type-Options 'nosniff';
|
||
|
add_header X-Frame-Options 'SAMEORIGIN';
|
||
|
add_header X-XSS-Protection '1; mode=block';
|
||
|
add_header X-Robots-Tag 'none';
|
||
|
add_header X-Download-Options 'noopen';
|
||
|
add_header X-Permitted-Cross-Domain-Policies 'none';
|
||
|
$0
|
||
|
|
||
|
snippet robots.txt
|
||
|
# Tell bots to not index this site
|
||
|
location /robots.txt {
|
||
|
default_type text/plain;
|
||
|
return 200 'User-agent: *\nDisallow: /\n';
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet basic-auth
|
||
|
auth_basic 'Restricted';
|
||
|
auth_basic_user_file ${1:/etc/nginx/htpasswd};
|
||
|
$0
|
||
|
|
||
|
snippet proxy_pass
|
||
|
proxy_pass_header Date;
|
||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||
|
proxy_set_header Host $host;
|
||
|
proxy_set_header X-Real-IP $remote_addr;
|
||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||
|
proxy_pass http://${1:backend};
|
||
|
$0
|
||
|
|
||
|
snippet php-fpm
|
||
|
location ~ \.php$ {
|
||
|
include fastcgi_params;
|
||
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||
|
fastcgi_index index.php;
|
||
|
fastcgi_intercept_errors on;
|
||
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
||
|
fastcgi_pass ${1:127.0.0.1:9000};
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet php-uwsgi
|
||
|
location ~ \.php$ {
|
||
|
include uwsgi_params;
|
||
|
uwsgi_max_temp_file_size 4096m;
|
||
|
uwsgi_modifier1 14;
|
||
|
uwsgi_read_timeout 900;
|
||
|
uwsgi_send_timeout 900;
|
||
|
uwsgi_pass ${1:unix:///run/uwsgi/php.sock};
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet redirect-ssl
|
||
|
location / {
|
||
|
return 301 https://$http_host$request_uri;
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet redirect-other
|
||
|
# Redirect other requested hosts
|
||
|
if ($host != '${1:DOMAIN}') {
|
||
|
return 301 https://${2:DOMAIN}$request_uri;
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet letsencrypt
|
||
|
listen [::]:80 ipv6only=off;
|
||
|
|
||
|
# Serve well-known path for letsencrypt
|
||
|
location /.well-known/acme-challenge {
|
||
|
root /etc/nginx/certs/acme;
|
||
|
default_type text/plain;
|
||
|
}
|
||
|
|
||
|
location / {
|
||
|
return 301 https://$http_host$request_uri;
|
||
|
}
|
||
|
$0
|
||
|
|
||
|
snippet cut-trailing-slash
|
||
|
rewrite ^/(.*)/$ $scheme://$http_host:$server_port/$1 permanent;
|
||
|
$0
|
||
|
|
||
|
snippet location
|
||
|
location ${1:/} {
|
||
|
${0:${VISUAL}}
|
||
|
}
|
||
|
|
||
|
snippet server
|
||
|
server {
|
||
|
${0:${VISUAL}}
|
||
|
}
|