Untitled

server {
    # defines on which port the Server listens
    listen 443 ssl;

    # Necessary to see the externalincoming IP
    # DO NOT USE THIS WHEN ON BARE METAL! ONLY ON MY DOCKER INFRASTRUCTRE!
    real_ip_header X-Forwarded-For;
    set_real_ip_from "x.x.x.x/16";

    # only allow secure protocols
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # custom DH
    # TODO
    # YOU NEED TO CREATE THESE WITH:
    # openssl dhparam -outform PEM -out dhparam2048.pem 2048
    ssl_dhparam /path/to/dhparam2048.pem;
    # choose eleptic curve with 384 bit
    # equal to 7680 bit RSA
    ssl_ecdh_curve secp384r1;

    # set prefer ciphers
    ssl_prefer_server_ciphers on;

    # define which ciphers to allow
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

    # define where ssl certs are stored
    ssl_certificate /etc/nginx/ssl/www.name-of-website.tld/nameof.crt;
    ssl_certificate_key /etc/nginx/ssl/www.name-of-website.tld/nameof.key;

    # defines the fqdn(s) for this vhost
    server_name www.name-of-website.tld;

    # Document root for this vhost
    root /var/www/www.name-of-website.tld;

    # create separate log and error files for this vhost
    access_log  /var/log/nginx/www.name-of-website.tld/access.log;
    error_log   /var/log/nginx/www.name-of-website.tld/error.log;

    #define index file(s) for this vhost
    index index.php index.html index.htm default.html default.htm;

    # Add headers to serve SECURITY related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # TODO
    # !!! TO GET PUBLIC KEY PINNING WORKING YOU NEED TO INSERT THE VALUE HERE! !!!
    # EXAMPLE:
    # openssl x509 -in your-key-file.key -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
    ###
    # YOU ALSO NEED TO APPLY A BACKUP_KEY FOR A CA! DOWNLOAD THIS CRT AND GET THE HASH FOR IT
    # EXAMPLE:
    # openssl x509 -in ca.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
    add_header Public-Key-Pins 'pin-sha256="CURRENT-KEY-HASH"; pin-sha256="BACKUP-KEY-HASH" max-age=31536000; includeSubDomains';


    # Disable gzip to avoid the removal of the ETag header
    gzip off;

    # disable logging for robots.txt
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Support Clean (aka Search Engine Friendly) URLs
    location / {
        try_files $uri $uri/ /index.php?$args;

    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd,
    # .DS_Store (Mac).
    location ~ /\. {
        deny all;
        access_log off;
        log_not_found off;
    }

    # enable php-fpm
    location ~ \.php$ {
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Adding the cache control header for js and css files
    # Make sure it is BELOW the location ~ \.php(?:$|/) { block
    location ~* \.(?:css|js)$ {
        add_header Cache-Control "public, max-age=7200";
        # Add headers to serve security related headers
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        # Optional: Don't log access to assets
        #access_log off;
    }

    ### SECURITY AND HARDENING OPTIONS ###
    # Turn of the Server Tokens (webserver information)
    server_tokens off;

    # Block out any script trying to base64_encode data within the URL.
    if ($query_string ~ "base64_encode[^(]*\([^)]*\)") {
        set $rule_0 1;
    }

    # Block out any script that includes a ********** tag in URL.
    if ($query_string ~ "(<|%3C)([^s]*s)+cript.*(>|%3E)"){
        set $rule_0 1;
    }

    # Block out any script trying to set a PHP GLOBALS variable via URL.
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})"){
        set $rule_0 1;
    }

    # Block out any script trying to modify a _REQUEST variable via URL.
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})"){
        set $rule_0 1;
    }

    if ($rule_0 = "1"){
        rewrite /.* /index.php ;
    }

    # Begin - Joomla! core SEF Section.
    set $http_authorization $http_authorization;

    if ($uri !~ "^/index\.php"){
        set $rule_0 1$rule_0;
    }
    if ($uri ~* "/component/|(/[^.]*|\.(php|html?|feed|pdf|vcf|raw))$"){
        set $rule_0 2$rule_0;
    }
    if ($rule_0 = "21"){
        rewrite /.* /index.php last;
    }

    # deny running scripts inside writable directories
    location ~* /(images|cache|media|logs|tmp)/.*\.(php|pl|py|jsp|asp|sh|cgi)$ {
        return 403;
    }

    # caching of files ( default joomla)
    location ~* \.(ico|pdf|flv)$ {
        expires 1y;
    }
    location ~* \.(js|css|png|jpg|jpeg|gif|swf|xml|txt)$ {
        expires 14d;
    }

    ## Start: Size Limits & Buffer Overflows ##
    # The directive specifies the client request body buffer size. (default is 8k)
    client_body_buffer_size  1K;

    # Directive sets the headerbuffer size for the request header from client.
    # !!!May have to be adjusted!!!!
    client_header_buffer_size 1k;

    # Directive assigns the maximum accepted body size of client request
    # Throws error 413
    # !!!! if too small for POST stuff then we have to increase!!!!!
    client_max_body_size 1k;

    # Directive assigns the maximum number and size of buffers for large headers to read from client request
    large_client_header_buffers 2 1k;
    ## END: Size Limits & Buffer Overflows ##

    ## Start: Timeouts ##
    # Directive sets the read timeout for the request body from client.
    # The timeout is set only if a body is not get in one readstep.
    # If after this time the client send nothing, nginx returns error “Request time out” (408).
    # The default is 60.
    client_body_timeout   10;

    # Directive assigns timeout with reading of the title of the request of client.
    # The timeout is set only if a header is not get in one readstep.
    # If after this time the client send nothing, nginx returns error “Request time out” (408).
    client_header_timeout 10;

    # The first parameter assigns the timeout for keep-alive connections with the client.
    # The server will close connections after this time.
    # The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response.
    # This header can convince some browsers to close the connection, so that the server does not have to.
    # Without this parameter, nginx does not send a Keep-Alive header (though this is not what makes a connection “keep-alive”).
    keepalive_timeout     5 5;

    # Directive assigns response timeout to client.
    # Timeout is established not on entire transfer of answer,
    # but only between two operations of reading, if after this time client will take nothing,
    # then nginx is shutting down the connection.
    send_timeout          10;
    ## End: Timeouts ##

    # Only allow these request methods
    # Do not accept DELETE, SEARCH and other methods
    if ($request_method !~ ^(GET|HEAD|POST)$ ) {
        return 444;
    }

    # Deny certain Referers
    if ( $http_referer ~* (babes|forsale|girl|jewelry|love|nudit|organic|poker|porn|sex|teen) )
    {
        # return 404;
        return 403;
    }
    }