Advertisement
HansVanEijsden

Nginx HTTPS configs 2016

Jan 7th, 2016
5,556
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ### Nginx main config: Tweaks & SSL settings (without the FastCGI-cache config parts)
  2.  
  3. ## http {} block:
  4.  
  5. http {
  6.  
  7. # [...]
  8.  
  9.     server_tokens off;
  10.     reset_timedout_connection on;
  11.     if_modified_since before;
  12.  
  13.     # Limit Request
  14.     limit_req_status 403;
  15.     limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
  16.  
  17.     fastcgi_read_timeout 300;
  18.     client_max_body_size 100m;
  19.  
  20.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  21.     ssl_ciphers 'EECDH+CHACHA20:EECDH+CHACHA20-draft:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  22.  
  23.     # Improves TTFB by using a smaller SSL buffer than the nginx default
  24.     ssl_buffer_size 8k;
  25.  
  26.     ssl_session_cache builtin:1000 shared:SSL:200m;
  27.     ssl_session_timeout 4h;
  28.     ssl_ecdh_curve secp384r1;
  29.     ssl_prefer_server_ciphers on;
  30.     ssl_dhparam /etc/ssl/certs/dhparam.pem;
  31.  
  32.     # http://nginx.com/blog/improve-seo-https-nginx/
  33.     ssl_session_tickets on;
  34.  
  35.     sendfile on;
  36.     tcp_nopush on;
  37.     tcp_nodelay on;
  38.     keepalive_requests 500;
  39.     keepalive_timeout 300 300;
  40.     types_hash_max_size 2048;
  41.  
  42.     server_names_hash_max_size 1024;
  43.     server_names_hash_bucket_size 96;
  44.     server_name_in_redirect off;
  45.  
  46.     include mime.types;
  47.     default_type application/octet-stream;
  48.  
  49.     open_log_file_cache max=1000 inactive=20s min_uses=2 valid=1m;
  50.  
  51.     gzip on;
  52.     gzip_disable "msie6";
  53.     gzip_vary on;
  54.     gzip_proxied any;
  55.     gzip_comp_level 6;
  56.     gzip_buffers 16 8k;
  57.     gzip_http_version 1.0;
  58.     gzip_types application/xml;
  59.     gzip_types application/xml+rss;
  60.     gzip_types "application/x-javascript;charset=utf-8";
  61.     gzip_types application/ecmascript;
  62.     gzip_types application/javascript;
  63.     gzip_types application/json;
  64.     gzip_types application/pdf;
  65.     gzip_types application/postscript;
  66.     gzip_types application/x-javascript;
  67.     gzip_types image/svg+xml;
  68.     gzip_types image/bmp;
  69.     gzip_types text/css;
  70.     gzip_types text/csv;
  71.     gzip_types text/javascript;
  72.     gzip_types text/plain;
  73.     gzip_types text/xml;
  74.  
  75.     open_file_cache     max=10000  inactive=10m;
  76.     open_file_cache_valid   2m;
  77.     open_file_cache_min_uses 1;
  78.     open_file_cache_errors   on;
  79.  
  80.     fastcgi_buffers 128 32k;
  81.     fastcgi_buffer_size 32k;
  82.  
  83.     fastcgi_param SERVER_NAME $http_host;
  84.     fastcgi_ignore_headers  Cache-Control Expires Set-Cookie;
  85.  
  86. # [...]
  87.  
  88. }
  89.  
  90.  
  91. ## server {} block port 80:
  92.  
  93. server {
  94.  
  95.     listen   80 reuseport default_server backlog=65535 fastopen=5 deferred; ## listen for ipv4; this line is default and implied
  96.     listen   [::]:80 reuseport default_server backlog=65535 fastopen=5 deferred; ## listen for ipv6
  97.  
  98.     server_name www.example.com example.com;
  99.  
  100.     # https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
  101.     location '/.well-known/acme-challenge' {
  102.     default_type "text/plain";
  103.     root        /tmp/letsencrypt-auto;
  104.     }
  105.  
  106.     add_header Strict-Transport-Security "max-age=31536000;";
  107.  
  108.     location / {
  109.     return 301 https://www.example.com$request_uri;
  110.     }
  111.  
  112. }
  113.  
  114.  
  115. ## server {} block port 443 SSL:
  116.  
  117. server {
  118.  
  119.     listen  443 reuseport default_server ssl http2 backlog=65535 fastopen=5 deferred;
  120.     listen  [::]:443 reuseport default_server ssl http2 backlog=65535 fastopen=5 deferred;
  121.  
  122.     server_name www.example.com example.com;
  123.  
  124.     ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
  125.     ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
  126.  
  127.     ssl_stapling               on;
  128.     ssl_stapling_verify        on;
  129.     ssl_trusted_certificate /etc/letsencrypt/live/www.example.com/chain.pem;
  130.  
  131.     add_header Strict-Transport-Security "max-age=31536000;";
  132.     add_header Access-Control-Allow-Origin *;
  133.     add_header X-Frame-Options "SAMEORIGIN" always;
  134.     add_header X-Xss-Protection "1; mode=block" always;
  135.     add_header X-Content-Type-Options "nosniff" always;
  136.     add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
  137.  
  138.     access_log   /var/log/nginx/example.access.log;
  139.     error_log    /var/log/nginx/example.error.log crit;
  140.  
  141.     root /home/example/www;
  142.     index index.php index.htm index.html;
  143.  
  144.     add_header X-Frame-Options "SAMEORIGIN";
  145.  
  146.     # Use cached or actual file if they exists, Otherwise pass request to WordPress
  147.     location / {
  148.         try_files $uri $uri/ /index.php?$args;
  149.     }
  150.  
  151.     location ~ ^/wp-content/cache/minify/(.+\.(css|js))$ {
  152.         try_files $uri /wp-content/plugins/w3-total-cache/pub/minify.php?file=$1;
  153.     }
  154.  
  155.     location ~ \.php$ {
  156.         try_files $uri =404;
  157.         include fastcgi_params;
  158.         fastcgi_pass unix:/var/run/example-php.sock;
  159.     }
  160.  
  161.     # Limit access to avoid brute force attack
  162.     location = /wp-login.php {
  163.         limit_req zone=one burst=1 nodelay;
  164.         include fastcgi_params;
  165.         fastcgi_pass unix:/var/run/example-php.sock;
  166.     }
  167.  
  168.     # Disallow php in upload folder
  169.     location /wp-content/uploads/ {
  170.         location ~ \.php$ {
  171.             #Prevent Direct Access Of PHP Files From Web Browsers
  172.             deny all;
  173.         }
  174.     }
  175.  
  176.     # Yoast sitemap
  177.     location ~ ([^/]*)sitemap(.*)\.x(m|s)l$ {
  178.         rewrite ^/sitemap\.xml$ /sitemap_index.xml permanent;
  179.         rewrite ^/([a-z]+)?-?sitemap\.xsl$ /index.php?xsl=$1 last;
  180.         rewrite ^/sitemap_index\.xml$ /index.php?sitemap=1 last;
  181.         rewrite ^/([^/]+?)-sitemap([0-9]+)?\.xml$ /index.php?sitemap=$1&sitemap_n=$2 last;
  182.    
  183.     # Following lines are options. Needed for WordPress seo addons
  184.         rewrite ^/news_sitemap\.xml$ /index.php?sitemap=wpseo_news last;
  185.         rewrite ^/locations\.kml$ /index.php?sitemap=wpseo_local_kml last;
  186.         rewrite ^/geo_sitemap\.xml$ /index.php?sitemap=wpseo_local last;
  187.         rewrite ^/video-sitemap\.xsl$ /index.php?xsl=video last;
  188.  
  189.     # Basic locations files
  190.         location = /favicon.ico {
  191.             access_log off;
  192.             log_not_found off;
  193.             expires max;
  194.         }
  195.  
  196.         location = /robots.txt {
  197.             access_log off;
  198.             log_not_found off;
  199.         }
  200.  
  201.     # Cache static files
  202.         location ~* \.  (ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf|webp)$ {
  203.             access_log off;
  204.             log_not_found off;
  205.             expires max;
  206.             add_header Access-Control-Allow-Origin *;
  207.             add_header Cache-Control "public, must-revalidate, proxy-revalidate";
  208.             }
  209.  
  210.     # Deny hidden files
  211.         location ~ /\. {
  212.             deny  all;
  213.             access_log off;
  214.             log_not_found off;
  215.         }
  216.  
  217.     # Deny backup extensions & log files
  218.         location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp)$ {
  219.             deny  all;
  220.             access_log off;
  221.             log_not_found off;
  222.         }
  223.  
  224. }
  225.  
  226.  
  227. ### To compile Nginx:
  228.  
  229. export PATH=/usr/lib/ccache:$PATH \
  230. DEB_CFLAGS_SET="-O3 -march=native -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
  231. DEB_CXXFLAGS_SET="-O3 -march=native -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security" \
  232. DEB_FFLAGS_SET="-O3" \
  233. DEB_LDFLAGS_SET="-Wl,-z,relro"
  234. export DEB_CFLAGS_SET DEB_CXXFLAGS_SET DEB_FFLAGS_SET DEB_LDFLAGS_SET
  235.  
  236. cd /usr/local/src/nginx-1.9.12
  237. make clean
  238.  
  239. ./configure --prefix=/opt/nginx19 --user=www-data --group=www-data --with-http_ssl_module --with-http_v2_module --with-openssl=/usr/local/src/openssl-1.0.2g --with-openssl-opt="enable-ec_nistp_64_gcc_128 threads" --with-md5=/usr/local/src/openssl-1.0.2g --with-md5-asm --with-sha1=/usr/local/src/openssl-1.0.2g --with-sha1-asm --with-pcre-jit --with-file-aio --with-http_flv_module --with-http_geoip_module --with-http_gzip_static_module --with-http_gunzip_module --with-http_mp4_module --with-http_realip_module --with-http_stub_status_module --with-threads --with-ipv6 --with-cc-opt="-DTCP_FASTOPEN=23 -O3 -march=native"
  240.  
  241. sudo nice make install
  242.  
  243.  
  244. ### OpenSSL patch for PolyChaCha cipher (apply to OpenSSL 1.0.2g source code) in openssl-1.0.2g source dir:
  245.  
  246. wget "https://raw.githubusercontent.com/cloudflare/sslconfig/master/patches/openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch"
  247. patch -p1 < openssl__chacha20_poly1305_draft_and_rfc_ossl102g.patch
  248. CFLAGS="-O3 -march=native" CXXFLAGS="-O3 -march=native" ./config enable-ec_nistp_64_gcc_128 threads shared zlib-dynamic -m64
  249. make depend
  250. make && sudo make install && sudo ldconfig
  251.  
  252. ### CHECKS:
  253.  
  254. SSL check: https://www.ssllabs.com/ssltest/
  255. Headers check: https://securityheaders.io
  256.  
  257. Using Wordpress? DO NOT FORGET: IMPLEMENT FASTCGI-CACHING.
  258. https://easyengine.io/wordpress-nginx/tutorials/single-site/fastcgi-cache-with-purging/
  259. https://www.digitalocean.com/community/tutorials/how-to-setup-fastcgi-caching-with-nginx-on-your-vps
Advertisement
RAW Paste Data Copied
Advertisement