MatthewVance · April 10, 2018 02:51
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 2;
 pid /var/run/nginx.pid;

 events {
  worker_connections 1024;
  # multi_accept on;
 }

 http {

  ##
  # Basic Settings
  ##

  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  types_hash_max_size 2048;

  # Limit the maximum size of an uploaded file
  # Sets the maximum allowed size of the client request body,
  # specified in the Content-Length request header field.
  # If the size in a request exceeds the configured value,
  # the 413 (Request Entity Too Large) error is returned to the client.
  # Please be aware that browsers cannot correctly display this error.
  #
  client_max_body_size 4096k;

  # server_names_hash_bucket_size 64;
  # server_name_in_redirect off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ##
  # Logging Settings
  ##

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  log_format matt_custom '$ssl_protocol $ssl_cipher $request';  

  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";
  gzip_min_length 1100;
  gzip_vary on;
  gzip_proxied any;
  gzip_buffers 16 8k;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg-xml applications/vnd.ms-fontobject;
  # gzip_comp_level 6;
  # gzip_http_version 1.1;

  ##
  # Security settings
  ##

  # Make sites less vulnerable to distributed denial of service attacks (DDOS)
  # These settings will limit the amount of resources Nginx spends responding
  # to slow requests, so that it's considerably more difficult for an attacker
  # to tie up the server's resources.
  #
  #
  # Hold a keep-alive connection for no more than 10 seconds and
  # suggest the client to close its connection after 10 seconds
  #
  keepalive_timeout 10 10;

  # Set the max time Nginx will wait for the client to specify a request header
  # If a client does not transmit the entire header within this time,
  # the 408 (Request Time-out) error is returned to the client.
  #
  client_header_timeout 10;

  # If a client does not transmit anything within this time,
  # the 408 (Request Time-out) error is returned to the client.
  #
  client_body_timeout 10;

  # send_timeout tells Nginx to close its connection to a client
  # if that client takes too long between successive requests.
  # Sets a timeout for transmitting a response to the client.
  # The timeout is set only between two successive write operations,
  # not for the transmission of the whole response.
  # If the client does not receive anything within this time,
  # the connection is closed.
  #
  send_timeout 10;

  #Don't send the nginx version number in error pages and server header
  #
  server_tokens off;

  # DENY: This setting will prevent a page displaying in a frame or iframe.
  # This also helps avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
  #
  # The X-Frame-Options in HTTP response header can be used to indicate
  # whether or not a browser should be allowed to open a page in a
  # frame or iframe.
  #
  # If you need to allow [i]frames, you can use SAMEORIGIN or
  # even set an uri with ALLOW-FROM uri
  #
  # For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options
  # see: http://enable-cors.org/
  #
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  #
  add_header X-Frame-Options DENY always;

  # Reduce exposure to drive-by download attacks and sites serving user uploaded content
  # that, by clever naming, could be treated by MSIE as executable or dynamic
  # HTML files.
  # This is accomplished by preventing browsers (which support this) from
  # MIME-sniffing a response away from the declared content-type.
  # This also applies to Google Chrome, when downloading extensions.
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  #
  add_header X-Content-Type-Options nosniff always;

  # This header enables the Cross-site scripting (XSS) filter
  # built into most recent web browsers.
  # It's usually enabled by default anyway, so the role of this header is to re-enable
  # the filter for this particular website if it was disabled by the user.
  # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  #
  add_header X-XSS-Protection "1; mode=block" always;

   ###Consider adding support for Content Security Policy (CSP)
   # https://www.owasp.org/index.php/Content_Security_Policy
   # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
   # https://www.owasp.org/index.php/List_of_useful_HTTP_headers

  ##
  # SSL Config, not specific to a single VirtualHost (global)
  ##

  include /etc/nginx/tls.conf;

  ##
  # Virtual Host Configs
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
 }
diff --git a/tls.conf b/tls.conf
 # Session Resumption
 # Improves https performance
 #
 ssl_session_timeout 10m;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;

 #Tell nginx to use stronger Ephemeral Diffie-Hellman (DHE) parameter
 # Generated via: sudo openssl dhparam 4096 -out /etc/nginx/tls/dhparam.pem
 #
 ssl_dhparam /etc/nginx/tls/dhparam.pem;

 # Set to strongest curve supported in your version of openssl
 # Run: openssl ecparam -list_curves to see what's supported
 # Ideally, OpenSSL will eventually support safe curve as defined at
 # http://safecurves.cr.yp.to/
 #
 ssl_ecdh_curve secp521r1;

 # only support TLS 1.2,
 ssl_protocols TLSv1.2;

 # Only support modern ciphers. - https://mozilla.github.io/server-side-tls/ssl-config-generator/
 ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

 # Prefer server ciphers over client ciphers
 ssl_prefer_server_ciphers on;
diff --git a/VirtualHost Conf b/VirtualHost Conf
 # Credits and major sources of help for this config
 # http://arstechnica.com/series/web-served/
 # https://gist.github.com/plentz/6737338
 # https://gist.github.com/kennwhite/25183c3f05266ee0ad7f
 # http://blog.rlove.org/2013/12/strong-ssl-crypto.html
 # http://blog.rlove.org/2014/04/the-end-of-life-of-windows-xp-and.html

 ##
 # Default server configuration
 ##    
    
 # Default server configuration should only need to be defined once
 # So might as well do it in this one

 # This default server config blocks IP-based requests
 #
 server {
     listen 80 default_server;
     return 444;
     }

 ##
 # Virtual Host configuration for example.com
 ##    

 server {
     #
     # The ssl parameter (0.7.14) allows specifying that all connections
     # accepted on this port should work in SSL mode.
     # This allows for a more compact configuration for the server that handles
     # both HTTP and HTTPS requests.
     # http://www.techrepublic.com/article/take-advantage-of-tcp-ip-options-to-optimize-data-transmission/
     #
     listen 443 ssl default deferred;
     server_name www.example.com;

     root /var/www/example.com;
     index index.html;
    
     # Certificate and key file paths
     #
     ssl_certificate          /etc/nginx/ssl/www.example.com.chained.crt;
     ssl_certificate_key      /etc/nginx/ssl/www.example.com.key;
         
     # Enable OCSP stapling (req. nginx v 1.3.7+)
     # Mechanism by which a site can convey certificate revocation information
     # to visitors in a privacy-preserving, scalable manner
     # https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
     # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
     #
     ssl_stapling on;
     ssl_stapling_verify on;
     resolver 8.8.4.4 8.8.8.8 valid=300s;
     resolver_timeout 10s;
     ssl_trusted_certificate /etc/nginx/ssl/www.example.com.chained.crt;

     # Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping
     # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
     # https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
     #
     add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

     location / {
          try_files $uri $uri/ =404;
          allow 192.168.1.0/24;
          allow 127.0.0.1;
          deny all;
     }

     #Prevent Nginx from serving files starting with a dot
     #Do not log attempts to access such files
     location ~ /\. {
          access_log off;
          log_not_found off;
          deny all;
     }

     #Prevent Nginx from serving files starting with a dollar-sign
     #Do not log attempts to access such files
     location ~ ~$ {
          access_log off;
          log_not_found off;
          deny all;
     }

     location ~ \.php$ {
          try_files $uri = 404;
          allow 192.168.1.0/24;
          allow 127.0.0.1;
          deny all;
          include fastcgi_params;
          fastcgi_pass php5-fpm-sock;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_intercept_errors on;
          fastcgi_param HTTPS on;
     }
 }

 # redirect all http traffic to https
 server {
     listen 80;
     server_name www.example.com;
     return 301 https://$host$request_uri;
 }
	user www-data;
	worker_processes 2;
	pid /var/run/nginx.pid;

	events {
	worker_connections 1024;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	types_hash_max_size 2048;

	# Limit the maximum size of an uploaded file
	# Sets the maximum allowed size of the client request body,
	# specified in the Content-Length request header field.
	# If the size in a request exceeds the configured value,
	# the 413 (Request Entity Too Large) error is returned to the client.
	# Please be aware that browsers cannot correctly display this error.
	#
	client_max_body_size 4096k;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	log_format matt_custom '$ssl_protocol $ssl_cipher $request';

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";
	gzip_min_length 1100;
	gzip_vary on;
	gzip_proxied any;
	gzip_buffers 16 8k;
	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg-xml applications/vnd.ms-fontobject;
	# gzip_comp_level 6;
	# gzip_http_version 1.1;

	##
	# Security settings
	##

	# Make sites less vulnerable to distributed denial of service attacks (DDOS)
	# These settings will limit the amount of resources Nginx spends responding
	# to slow requests, so that it's considerably more difficult for an attacker
	# to tie up the server's resources.
	#
	#
	# Hold a keep-alive connection for no more than 10 seconds and
	# suggest the client to close its connection after 10 seconds
	#
	keepalive_timeout 10 10;

	# Set the max time Nginx will wait for the client to specify a request header
	# If a client does not transmit the entire header within this time,
	# the 408 (Request Time-out) error is returned to the client.
	#
	client_header_timeout 10;

	# If a client does not transmit anything within this time,
	# the 408 (Request Time-out) error is returned to the client.
	#
	client_body_timeout 10;

	# send_timeout tells Nginx to close its connection to a client
	# if that client takes too long between successive requests.
	# Sets a timeout for transmitting a response to the client.
	# The timeout is set only between two successive write operations,
	# not for the transmission of the whole response.
	# If the client does not receive anything within this time,
	# the connection is closed.
	#
	send_timeout 10;

	#Don't send the nginx version number in error pages and server header
	#
	server_tokens off;

	# DENY: This setting will prevent a page displaying in a frame or iframe.
	# This also helps avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	#
	# The X-Frame-Options in HTTP response header can be used to indicate
	# whether or not a browser should be allowed to open a page in a
	# frame or iframe.
	#
	# If you need to allow [i]frames, you can use SAMEORIGIN or
	# even set an uri with ALLOW-FROM uri
	#
	# For additional CORS DENY, ALLOW, SAMEORIGIN, etc. options
	# see: http://enable-cors.org/
	#
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	#
	add_header X-Frame-Options DENY always;

	# Reduce exposure to drive-by download attacks and sites serving user uploaded content
	# that, by clever naming, could be treated by MSIE as executable or dynamic
	# HTML files.
	# This is accomplished by preventing browsers (which support this) from
	# MIME-sniffing a response away from the declared content-type.
	# This also applies to Google Chrome, when downloading extensions.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	#
	add_header X-Content-Type-Options nosniff always;

	# This header enables the Cross-site scripting (XSS) filter
	# built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable
	# the filter for this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	#
	add_header X-XSS-Protection "1; mode=block" always;

	###Consider adding support for Content Security Policy (CSP)
	# https://www.owasp.org/index.php/Content_Security_Policy
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers

	##
	# SSL Config, not specific to a single VirtualHost (global)
	##

	include /etc/nginx/tls.conf;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# Session Resumption
	# Improves https performance
	#
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	#Tell nginx to use stronger Ephemeral Diffie-Hellman (DHE) parameter
	# Generated via: sudo openssl dhparam 4096 -out /etc/nginx/tls/dhparam.pem
	#
	ssl_dhparam /etc/nginx/tls/dhparam.pem;

	# Set to strongest curve supported in your version of openssl
	# Run: openssl ecparam -list_curves to see what's supported
	# Ideally, OpenSSL will eventually support safe curve as defined at
	# http://safecurves.cr.yp.to/
	#
	ssl_ecdh_curve secp521r1;

	# only support TLS 1.2,
	ssl_protocols TLSv1.2;

	# Only support modern ciphers. - https://mozilla.github.io/server-side-tls/ssl-config-generator/
	ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

	# Prefer server ciphers over client ciphers
	ssl_prefer_server_ciphers on;
	# Credits and major sources of help for this config
	# http://arstechnica.com/series/web-served/
	# https://gist.github.com/plentz/6737338
	# https://gist.github.com/kennwhite/25183c3f05266ee0ad7f
	# http://blog.rlove.org/2013/12/strong-ssl-crypto.html
	# http://blog.rlove.org/2014/04/the-end-of-life-of-windows-xp-and.html

	##
	# Default server configuration
	##

	# Default server configuration should only need to be defined once
	# So might as well do it in this one

	# This default server config blocks IP-based requests
	#
	server {
	listen 80 default_server;
	return 444;
	}

	##
	# Virtual Host configuration for example.com
	##

	server {
	#
	# The ssl parameter (0.7.14) allows specifying that all connections
	# accepted on this port should work in SSL mode.
	# This allows for a more compact configuration for the server that handles
	# both HTTP and HTTPS requests.
	# http://www.techrepublic.com/article/take-advantage-of-tcp-ip-options-to-optimize-data-transmission/
	#
	listen 443 ssl default deferred;
	server_name www.example.com;

	root /var/www/example.com;
	index index.html;

	# Certificate and key file paths
	#
	ssl_certificate /etc/nginx/ssl/www.example.com.chained.crt;
	ssl_certificate_key /etc/nginx/ssl/www.example.com.key;

	# Enable OCSP stapling (req. nginx v 1.3.7+)
	# Mechanism by which a site can convey certificate revocation information
	# to visitors in a privacy-preserving, scalable manner
	# https://raymii.org/s/tutorials/OCSP_Stapling_on_nginx.html
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	#
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.4.4 8.8.8.8 valid=300s;
	resolver_timeout 10s;
	ssl_trusted_certificate /etc/nginx/ssl/www.example.com.chained.crt;

	# Enable HSTS (HTTP Strict Transport Security) to avoid ssl stripping
	# https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	#
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	location / {
	try_files $uri $uri/ =404;
	allow 192.168.1.0/24;
	allow 127.0.0.1;
	deny all;
	}

	#Prevent Nginx from serving files starting with a dot
	#Do not log attempts to access such files
	location ~ /\. {
	access_log off;
	log_not_found off;
	deny all;
	}

	#Prevent Nginx from serving files starting with a dollar-sign
	#Do not log attempts to access such files
	location ~ ~$ {
	access_log off;
	log_not_found off;
	deny all;
	}

	location ~ \.php$ {
	try_files $uri = 404;
	allow 192.168.1.0/24;
	allow 127.0.0.1;
	deny all;
	include fastcgi_params;
	fastcgi_pass php5-fpm-sock;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_intercept_errors on;
	fastcgi_param HTTPS on;
	}
	}

	# redirect all http traffic to https
	server {
	listen 80;
	server_name www.example.com;
	return 301 https://$host$request_uri;
	}