# vim: ft=nginx snippet l80 listen [::]:80 ipv6only=off; $0 # Listen statements when using multiple http server blocks snippet l80-multi listen [::]:80 default_server; listen 80 default_server; $0 snippet l443 listen [::]:443 ipv6only=off ssl http2 default_server; $0 # Listen statements when using multiple ssl server blocks snippet l443-multi listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; $0 # Cipher suites are taken and adapted from Mozilla's recommendations # https://wiki.mozilla.org/Security/Server_Side_TLS # # Paranoid mode snippet ciphers-paranoid # Paranoid ciphers, 256bit minimum, prefer ChaCha20/ Poly1305, bad compatibility # No Android 5+6 (4.4 works), Chrome < 51, Firefox < 49, IE < 11, Java 6-8, GoogleBot ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384'; $0 # Mozilla modern snippet ciphers-modern # High-security ciphers (elliptic curves), less compatibility # No IE < 10, OpenSSL-0.9.8, Safari < 7, Android < 4.4 ssl_protocols TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; $0 # Mozilla intermediate (Removed DES for more security) snippet ciphers-compat # Medium-security ciphers with good compatibility (Weak: SHA) # No IE on WinXP ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS'; $0 # Mozilla old (Removed DSS, HIGH, SEED for more security) snippet ciphers-low # Low-security ciphers (Weak: DES, SHA) # No IE6, Java6 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!KRB5-DES-CBC3-SHA:!SRP:!DSS'; $0 snippet ssl-options # SSL certificate ssl_certificate /etc/nginx/certs/${4:www.example.com}.crt; ssl_certificate_key /etc/nginx/certs/${5:www.example.com}.key; # ssl_dhparam /etc/nginx/certs/dhparam.pem; ssl_prefer_server_ciphers on; ssl_stapling off; ssl_stapling_verify off; ssl_session_cache 'shared:SSL:10m'; ssl_session_tickets off; # Enable HSTS (1 year) and some security options add_header Strict-Transport-Security 'max-age=31536000 includeSubDomains; preload;'; $0 snippet security-headers add_header X-Frame-Options 'DENY'; add_header X-Content-Type-Options 'nosniff'; add_header X-Frame-Options 'SAMEORIGIN'; add_header X-XSS-Protection '1; mode=block'; add_header X-Robots-Tag 'none'; add_header X-Download-Options 'noopen'; add_header X-Permitted-Cross-Domain-Policies 'none'; $0 snippet robots.txt # Tell bots to not index this site location /robots.txt { default_type text/plain; return 200 'User-agent: *\nDisallow: /\n'; } $0 snippet basic-auth auth_basic 'Restricted'; auth_basic_user_file ${1:/etc/nginx/htpasswd}; $0 snippet proxy_pass proxy_pass_header Date; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://${1:backend}; $0 snippet php-fpm location ~ \.php$ { include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_index index.php; fastcgi_intercept_errors on; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_pass ${1:127.0.0.1:9000}; } $0 snippet php-uwsgi location ~ \.php$ { include uwsgi_params; uwsgi_max_temp_file_size 4096m; uwsgi_modifier1 14; uwsgi_read_timeout 900; uwsgi_send_timeout 900; uwsgi_pass ${1:unix:///run/uwsgi/php.sock}; } $0 snippet redirect-ssl location / { return 301 https://$http_host$request_uri; } $0 snippet redirect-other # Redirect other requested hosts if ($host != '${1:DOMAIN}') { return 301 https://${2:DOMAIN}$request_uri; } $0 snippet letsencrypt listen [::]:80 ipv6only=off; # Serve well-known path for letsencrypt location /.well-known/acme-challenge { root /etc/nginx/certs/acme; default_type text/plain; } location / { return 301 https://$http_host$request_uri; } $0 snippet cut-trailing-slash rewrite ^/(.*)/$ $scheme://$http_host:$server_port/$1 permanent; $0 snippet location location ${1:/} { ${0:${VISUAL}} } snippet server server { ${0:${VISUAL}} }