master
Mael G. 2 years ago
commit 906d416472
  1. 6
      conf.d/gzip.conf
  2. 0
      conf.d/upstream.conf
  3. 6
      includes/autoload.conf
  4. 6
      includes/error_pages.conf
  5. 6
      includes/proxy_params.conf
  6. 19
      includes/security.conf
  7. 27
      includes/ssl_params.conf
  8. 14
      sites-enabled/git.enpls.org.conf
  9. 8
      sites-enabled/http_to_https.conf
  10. 13
      sites-enabled/wildcard_return.conf

@ -0,0 +1,6 @@
#gzip on; #Already enabled by default in nginx.conf
gzip_proxied any;
gzip_types text/plain text/xml text/css application/x-javascript;
gzip_vary on;
gzip_disable “MSIE [1-6]\.(?!.*SV1)”;

@ -0,0 +1,6 @@
# Includes all required file in ze server{} block
include includes/caching.conf;
include includes/error_pages.conf;
include includes/ssl_params.conf;
include includes/security.conf;

@ -0,0 +1,6 @@
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
}

@ -0,0 +1,6 @@
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

@ -0,0 +1,19 @@
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
# Avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
add_header X-Frame-Options SAMEORIGIN;
# Avoid MIME-type sniffing
# Supported in : Chrome/Chromium, Edge, IE >= 8.0, Firefox >= 50 and Opera >= 13
# https://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx?Redirected=true
add_header X-Content-Type-Options nosniff;
# Removing NGINX version header
server_tokens off;
# Avoid clickjacking
# https://www.imperva.com/learn/application-security/clickjacking/
add_header X-Frame-Options "SAMEORIGIN";
# X-XSS-Protection
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";

@ -0,0 +1,27 @@
ssl_certificate /etc/letsencrypt/live/enpls.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/enpls.org/privkey.pem;
# Session resumption
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
# Better SSL
#Drop support for SSLv3. TLS v1.0 & v1.1 are deprecated since June 2018
ssl_protocols TLSv1.2 TLSv1.3;
# Best Cipher but no backwards compatibility for IE6/WinXP - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES$
# OSCP Stapling
# https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
resolver 8.8.8.8 8.8.4.4; #Yes I know they are Google DNS resolvers
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/enpls.org/cert.pem;
# HSTS for subdomains too
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

@ -0,0 +1,14 @@
server {
server_name git.gnous.eu;
listen [::]:443 ssl http2;
listen 443 ssl http2;
#Importing best patrices
include includes/autoload.conf;
location / {
include includes/proxy_params.conf;
proxy_pass http://192.168.1.118;
client_max_body_size 100M;
}
}

@ -0,0 +1,8 @@
server {
#Default nginx config
listen 80 default_server;
listen [::]:80;
#HTTPS redirection
return 301 https://$host$request_uri;
}

@ -0,0 +1,13 @@
server {
listen [::]:443 ssl http2 default_server;
listen 443 ssl http2 default_server;
#Importing best patrices
include includes/security.conf;
include includes/ssl_params.conf;
include includes/caching.conf;
location / {
return 302 https://enpls.org;
}
}
Loading…
Cancel
Save