API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 18th, 2019
71
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.89 KB | None | 0 0
raw download clone embed print report
  1. #don't send the nginx version number in error pages and Server header
  2. server_tokens off;
  3.  
  4. add_header X-Content-Type-Options nosniff;
  5. add_header X-XSS-Protection "1; mode=block";
  6. add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
  7. https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self'
  8. https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src
  9. 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self'
  10. https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com
  11. https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
  12.  
  13. server {
  14. listen *:443;
  15. server_name _; #Change with the proper domain
  16.  
  17. client_max_body_size 50M;
  18. ssl on;
  19. ssl_certificate /etc/ssl/faraday.crt;
  20. ssl_certificate_key /etc/ssl/faraday.key;
  21. # enable session resumption to improve https performance
  22. # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  23. ssl_session_cache shared:SSL:50m;
  24. ssl_session_timeout 5m;
  25.  
  26. # enables server-side protection from BEAST attacks
  27. # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  28. ssl_prefer_server_ciphers on;
  29.  
  30. # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  31. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  32.  
  33. # ciphers chosen for forward secrecy and compatibility
  34. # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  35. #ssl_ciphers 'AES128+EECDH:AES128+EDH';
  36. ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  37.  
  38. # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  39. # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  40. add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
  41.  
  42. location / {
  43. proxy_pass http://localhost:5985/;
  44. proxy_redirect http:// https://;
  45. proxy_set_header Host $host;
  46. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  47. proxy_set_header X-Forwarded-Ssl on;
  48. }
  49. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!