API tools faq
paste
Advertisement
Guest User

Nginx config

a guest
Oct 10th, 2018
50
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.01 KB | None | 0 0
raw download clone embed print report
  1. root@node-srv:~# cat /etc/nginx/nginx.conf
  2. user www-data;
  3. worker_processes auto;
  4. pid /run/nginx.pid;
  5. include /etc/nginx/modules-enabled/*.conf;
  6.  
  7. events {
  8. worker_connections 768;
  9. multi_accept on;
  10. use epoll;
  11. }
  12.  
  13. http {
  14.  
  15. ##
  16. # Basic Settings
  17. ##
  18.  
  19. sendfile on;
  20. tcp_nopush on;
  21. tcp_nodelay on;
  22. keepalive_timeout 65;
  23. types_hash_max_size 2048;
  24. # server_tokens off;
  25.  
  26. # server_names_hash_bucket_size 64;
  27. # server_name_in_redirect off;
  28.  
  29. include /etc/nginx/mime.types;
  30. default_type application/octet-stream;
  31.  
  32. ##
  33. # SSL Settings
  34. ##
  35.  
  36. # ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  37. ssl_protocols TLSv1.2 TLSv1.3;
  38. ssl_prefer_server_ciphers on;
  39.  
  40. ##
  41. # Logging Settings
  42. ##
  43.  
  44. access_log /var/log/nginx/access.log;
  45. error_log /var/log/nginx/error.log;
  46.  
  47. ##
  48. # Gzip Settings
  49. ##
  50.  
  51. gzip on;
  52. gzip_disable "msie6";
  53.  
  54. # gzip_vary on;
  55. # gzip_proxied any;
  56. # gzip_comp_level 6;
  57. # gzip_buffers 16 8k;
  58. # gzip_http_version 1.1;
  59. # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  60.  
  61. ##
  62. # Virtual Host Configs
  63. ##
  64.  
  65.  
  66. include /etc/nginx/conf.d/*.conf;
  67. include /etc/nginx/sites-enabled/*;
  68. }
  69.  
  70.  
  71. #mail {
  72. # # See sample authentication script at:
  73. # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
  74. #
  75. # # auth_http localhost/auth.php;
  76. # # pop3_capabilities "TOP" "USER";
  77. # # imap_capabilities "IMAP4rev1" "UIDPLUS";
  78. #
  79. # server {
  80. # listen localhost:110;
  81. # protocol pop3;
  82. # proxy on;
  83. # }
  84. #
  85. # server {
  86. # listen localhost:143;
  87. # protocol imap;
  88. # proxy on;
  89. # }
  90. #}
  91.  
  92. root@node-srv:~# cat /etc/nginx/sites-enabled/nextcloud
  93. server {
  94.  
  95. server_name *my_servername*;
  96.  
  97. # Add headers to serve security related headers
  98. add_header X-Content-Type-Options nosniff;
  99. # add_header X-Frame-Options "SAMEORIGIN";
  100. add_header X-XSS-Protection "1; mode=block";
  101. add_header X-Robots-Tag none;
  102. add_header X-Download-Options noopen;
  103. add_header X-Permitted-Cross-Domain-Policies none;
  104. add_header Strict-Transport-Security "max-age=15552000";
  105. add_header Referrer-Policy "no-referrer-when-downgrade";
  106. add_header Feature-Policy "geolocation none; midi none; notifications none; push none; sync-xhr none; microphone none; camera none; magnetometer none; gyroscope none; speaker none; vibrate none; fullscreen none; payment none";
  107. # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; object-src 'none'";
  108.  
  109. # Path to the root of your installation
  110. root /var/www/nextcloud/;
  111.  
  112. location = /robots.txt {
  113. allow all;
  114. log_not_found off;
  115. access_log off;
  116. }
  117.  
  118. # The following 2 rules are only needed for the user_webfinger app.
  119. # Uncomment it if you're planning to use this app.
  120. #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  121. #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json
  122. # last;
  123.  
  124. location = /.well-known/carddav {
  125. return 301 $scheme://$host/remote.php/dav;
  126. }
  127.  
  128. location = /.well-known/caldav {
  129. return 301 $scheme://$host/remote.php/dav;
  130. }
  131.  
  132. location ~ /.well-known/acme-challenge {
  133. allow all;
  134. }
  135.  
  136. # set max upload size
  137. client_max_body_size 512M;
  138. fastcgi_buffers 64 4K;
  139.  
  140. # Disable gzip to avoid the removal of the ETag header
  141. gzip off;
  142.  
  143. # Uncomment if your server is build with the ngx_pagespeed module
  144. # This module is currently not supported.
  145. #pagespeed off;
  146.  
  147. # error_page 403 /core/templates/403.php;
  148. error_page 404 /core/templates/404.php;
  149.  
  150. location / {
  151. rewrite ^ /index.php$uri;
  152. }
  153.  
  154. location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
  155. deny all;
  156. }
  157.  
  158. location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
  159. deny all;
  160. }
  161.  
  162. location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\.php(?:$|/) {
  163. include fastcgi_params;
  164. fastcgi_split_path_info ^(.+\.php)(/.*)$;
  165. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
  166. fastcgi_param PATH_INFO $fastcgi_path_info;
  167. #Avoid sending the security headers twice
  168. fastcgi_param modHeadersAvailable true;
  169. fastcgi_param front_controller_active true;
  170. fastcgi_pass unix:/run/php/php7.2-fpm.sock;
  171. fastcgi_intercept_errors on;
  172. fastcgi_request_buffering off;
  173. }
  174.  
  175. location ~ ^/(?:updater|ocs-provider)(?:$|/) {
  176. try_files $uri/ =404;
  177. index index.php;
  178. }
  179.  
  180. # Adding the cache control header for js and css files
  181. # Make sure it is BELOW the PHP block
  182. location ~* \.(?:css|js)$ {
  183. try_files $uri /index.php$uri$is_args$args;
  184. add_header Cache-Control "public, max-age=7200";
  185. # Add headers to serve security related headers (It is intended to
  186. # have those duplicated to the ones above)
  187. add_header X-Content-Type-Options nosniff;
  188. add_header X-Frame-Options "SAMEORIGIN";
  189. add_header X-XSS-Protection "1; mode=block";
  190. add_header X-Robots-Tag none;
  191. add_header X-Download-Options noopen;
  192. add_header X-Permitted-Cross-Domain-Policies none;
  193. # Optional: Don't log access to assets
  194. access_log off;
  195. }
  196.  
  197. location ~* \.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$ {
  198. try_files $uri /index.php$uri$is_args$args;
  199. # Optional: Don't log access to other assets
  200. access_log off;
  201. }
  202.  
  203. listen 443 ssl http2; # managed by Certbot
  204. ssl_certificate /etc/letsencrypt/live/*my_servername*/fullchain.pem; # managed by Certbot
  205. ssl_certificate_key /etc/letsencrypt/live/*my_servername*/privkey.pem; # managed by Certbot
  206.  
  207. ssl_trusted_certificate /etc/letsencrypt/live/*my_servername*/chain.pem;
  208. ssl_stapling on;
  209. ssl_stapling_verify on;
  210. ssl_ecdh_curve secp384r1;
  211.  
  212. include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
  213. ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
  214. }
  215.  
  216. server {
  217. # if ($host = *my_servername*) {
  218. # return 301 https://$host$request_uri;
  219. # } # managed by Certbot
  220.  
  221. listen 80;
  222. server_name *my_servername*;
  223. return 301 https://$server_name$request_uri;
  224.  
  225. # Add headers to serve security related headers
  226. # add_header X-Content-Type-Options nosniff;
  227. # return 404; # managed by Certbot
  228. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!