API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jan 31st, 2021
283
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.54 KB | None | 0 0
raw download clone embed print report
  1. ## Version 2020/10/29 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/ssl.conf
  2.  
  3. ### Mozilla Recommendations
  4. # generated 2020-06-17, Mozilla Guideline v5.4, nginx 1.18.0-r0, OpenSSL 1.1.1g-r0, intermediate configuration
  5. # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0-r0&config=intermediate&openssl=1.1.1g-r0&guideline=5.4
  6.  
  7. ssl_session_timeout 1d;
  8. ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
  9. ssl_session_tickets off;
  10.  
  11. # intermediate configuration
  12. ssl_protocols TLSv1.3;
  13. ssl_ciphers EECDH+AESGCM:EECDH+AES256;
  14. ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
  15.  
  16. ssl_prefer_server_ciphers off;
  17.  
  18. # OCSP stapling
  19. ssl_stapling on;
  20. ssl_stapling_verify on;
  21.  
  22. ### Linuxserver.io Defaults
  23.  
  24. # Certificates
  25. ssl_certificate /config/keys/letsencrypt/fullchain.pem;
  26. ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
  27. # verify chain of trust of OCSP response using Root CA and Intermediate certs
  28. ssl_trusted_certificate /config/keys/letsencrypt/fullchain.pem;
  29.  
  30. # Diffie-Hellman Parameters
  31. ssl_dhparam /config/nginx/dhparams.pem;
  32.  
  33. # Resolver
  34. resolver 127.0.0.11 valid=30s; # Docker DNS Server
  35.  
  36. # Enable TLS 1.3 early data
  37. ssl_early_data on;
  38.  
  39. # HSTS, remove # from the line below to enable HSTS
  40. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  41.  
  42. # Optional additional headers
  43. #add_header Cache-Control "no-transform" always;
  44. add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
  45. add_header Referrer-Policy "strict-origin-when-cross-origin";
  46. add_header X-Content-Type-Options "nosniff" always;
  47. add_header X-Frame-Options "SAMEORIGIN" always;
  48. add_header X-XSS-Protection "1; mode=block" always;
  49. add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
  50. #FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/
  51. #add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
  52. add_header Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();";
  53.  
  54. proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
  55. more_set_headers "Server: Classified";
  56. more_clear_headers 'X-Powered-By';
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!