Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- server {
- # defines on which port the Server listens
- listen 443 ssl;
- # Necessary to see the externalincoming IP
- # DO NOT USE THIS WHEN ON BARE METAL! ONLY ON MY DOCKER INFRASTRUCTRE!
- real_ip_header X-Forwarded-For;
- set_real_ip_from "x.x.x.x/16";
- # only allow secure protocols
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # custom DH
- # TODO
- # YOU NEED TO CREATE THESE WITH:
- # openssl dhparam -outform PEM -out dhparam2048.pem 2048
- ssl_dhparam /path/to/dhparam2048.pem;
- # choose eleptic curve with 384 bit
- # equal to 7680 bit RSA
- ssl_ecdh_curve secp384r1;
- # set prefer ciphers
- ssl_prefer_server_ciphers on;
- # define which ciphers to allow
- ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
- # define where ssl certs are stored
- ssl_certificate /etc/nginx/ssl/www.name-of-website.tld/nameof.crt;
- ssl_certificate_key /etc/nginx/ssl/www.name-of-website.tld/nameof.key;
- # defines the fqdn(s) for this vhost
- server_name www.name-of-website.tld;
- # Document root for this vhost
- root /var/www/www.name-of-website.tld;
- # create separate log and error files for this vhost
- access_log /var/log/nginx/www.name-of-website.tld/access.log;
- error_log /var/log/nginx/www.name-of-website.tld/error.log;
- #define index file(s) for this vhost
- index index.php index.html index.htm default.html default.htm;
- # Add headers to serve SECURITY related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- add_header X-Download-Options noopen;
- add_header X-Permitted-Cross-Domain-Policies none;
- # TODO
- # !!! TO GET PUBLIC KEY PINNING WORKING YOU NEED TO INSERT THE VALUE HERE! !!!
- # EXAMPLE:
- # openssl x509 -in your-key-file.key -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
- ###
- # YOU ALSO NEED TO APPLY A BACKUP_KEY FOR A CA! DOWNLOAD THIS CRT AND GET THE HASH FOR IT
- # EXAMPLE:
- # openssl x509 -in ca.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
- add_header Public-Key-Pins 'pin-sha256="CURRENT-KEY-HASH"; pin-sha256="BACKUP-KEY-HASH" max-age=31536000; includeSubDomains';
- # Disable gzip to avoid the removal of the ETag header
- gzip off;
- # disable logging for robots.txt
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
- # Support Clean (aka Search Engine Friendly) URLs
- location / {
- try_files $uri $uri/ /index.php?$args;
- }
- # Deny all attempts to access hidden files such as .htaccess, .htpasswd,
- # .DS_Store (Mac).
- location ~ /\. {
- deny all;
- access_log off;
- log_not_found off;
- }
- # enable php-fpm
- location ~ \.php$ {
- fastcgi_pass 127.0.0.1:9000;
- fastcgi_index index.php;
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- # Adding the cache control header for js and css files
- # Make sure it is BELOW the location ~ \.php(?:$|/) { block
- location ~* \.(?:css|js)$ {
- add_header Cache-Control "public, max-age=7200";
- # Add headers to serve security related headers
- add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
- add_header X-Content-Type-Options nosniff;
- add_header X-Frame-Options "SAMEORIGIN";
- add_header X-XSS-Protection "1; mode=block";
- add_header X-Robots-Tag none;
- # Optional: Don't log access to assets
- #access_log off;
- }
- ### SECURITY AND HARDENING OPTIONS ###
- # Turn of the Server Tokens (webserver information)
- server_tokens off;
- # Block out any script trying to base64_encode data within the URL.
- if ($query_string ~ "base64_encode[^(]*\([^)]*\)") {
- set $rule_0 1;
- }
- # Block out any script that includes a ********** tag in URL.
- if ($query_string ~ "(<|%3C)([^s]*s)+cript.*(>|%3E)"){
- set $rule_0 1;
- }
- # Block out any script trying to set a PHP GLOBALS variable via URL.
- if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){
- set $rule_0 1;
- }
- # Block out any script trying to modify a _REQUEST variable via URL.
- if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){
- set $rule_0 1;
- }
- if ($rule_0 = "1"){
- rewrite /.* /index.php ;
- }
- # Begin - Joomla! core SEF Section.
- set $http_authorization $http_authorization;
- if ($uri !~ "^/index\.php"){
- set $rule_0 1$rule_0;
- }
- if ($uri ~* "/component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$"){
- set $rule_0 2$rule_0;
- }
- if ($rule_0 = "21"){
- rewrite /.* /index.php last;
- }
- # deny running scripts inside writable directories
- location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
- return 403;
- }
- # caching of files ( default joomla)
- location ~* \.(ico|pdf|flv)$ {
- expires 1y;
- }
- location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
- expires 14d;
- }
- ## Start: Size Limits & Buffer Overflows ##
- # The directive specifies the client request body buffer size. (default is 8k)
- client_body_buffer_size 1K;
- # Directive sets the headerbuffer size for the request header from client.
- # !!!May have to be adjusted!!!!
- client_header_buffer_size 1k;
- # Directive assigns the maximum accepted body size of client request
- # Throws error 413
- # !!!! if too small for POST stuff then we have to increase!!!!!
- client_max_body_size 1k;
- # Directive assigns the maximum number and size of buffers for large headers to read from client request
- large_client_header_buffers 2 1k;
- ## END: Size Limits & Buffer Overflows ##
- ## Start: Timeouts ##
- # Directive sets the read timeout for the request body from client.
- # The timeout is set only if a body is not get in one readstep.
- # If after this time the client send nothing, nginx returns error “Request time out” (408).
- # The default is 60.
- client_body_timeout 10;
- # Directive assigns timeout with reading of the title of the request of client.
- # The timeout is set only if a header is not get in one readstep.
- # If after this time the client send nothing, nginx returns error “Request time out” (408).
- client_header_timeout 10;
- # The first parameter assigns the timeout for keep-alive connections with the client.
- # The server will close connections after this time.
- # The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response.
- # This header can convince some browsers to close the connection, so that the server does not have to.
- # Without this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection “keep-alive”).
- keepalive_timeout 5 5;
- # Directive assigns response timeout to client.
- # Timeout is established not on entire transfer of answer,
- # but only between two operations of reading, if after this time client will take nothing,
- # then nginx is shutting down the connection.
- send_timeout 10;
- ## End: Timeouts ##
- # Only allow these request methods
- # Do not accept DELETE, SEARCH and other methods
- if ($request_method !~ ^(GET|HEAD|POST)$ ) {
- return 444;
- }
- # Deny certain Referers
- if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
- {
- # return 404;
- return 403;
- }
- }
Add Comment
Please, Sign In to add comment