Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #don't send the nginx version number in error pages and Server header
- server_tokens off;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'
- https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self'
- https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src
- 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self'
- https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com
- https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
- server {
- listen *:443;
- server_name _; #Change with the proper domain
- client_max_body_size 50M;
- ssl on;
- ssl_certificate /etc/ssl/faraday.crt;
- ssl_certificate_key /etc/ssl/faraday.key;
- # enable session resumption to improve https performance
- # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
- ssl_session_cache shared:SSL:50m;
- ssl_session_timeout 5m;
- # enables server-side protection from BEAST attacks
- # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
- ssl_prefer_server_ciphers on;
- # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
- # ciphers chosen for forward secrecy and compatibility
- # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
- #ssl_ciphers 'AES128+EECDH:AES128+EDH';
- ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
- # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
- # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
- add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
- location / {
- proxy_pass http://localhost:5985/;
- proxy_redirect http:// https://;
- proxy_set_header Host $host;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Ssl on;
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement