Last active
March 1, 2025 21:28
-
-
Save amanjuman/8ee772b38bc1a14cecf30546d0e53b73 to your computer and use it in GitHub Desktop.
Nginx Config For A+ Security
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## Once Click Setup | |
| ## sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 2048 | |
| ## wget -q https://gist.githubusercontent.com/amanjuman/8ee772b38bc1a14cecf30546d0e53b73/raw/6be4bf4547398580224cf30099c4ce844ccc7dce/nginx.conf -O /etc/nginx/nginx.conf | |
| user www-data; | |
| worker_processes auto; | |
| pid /run/nginx.pid; | |
| include /etc/nginx/modules-enabled/*.conf; | |
| events | |
| { | |
| multi_accept on; | |
| accept_mutex on; | |
| use epoll; | |
| worker_connections 1024; | |
| } | |
| http | |
| { | |
| ## | |
| # Basic Settings | |
| ## | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 8; | |
| reset_timedout_connection on; | |
| types_hash_max_size 2048; | |
| server_tokens off; | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| client_body_buffer_size 10M; | |
| client_header_buffer_size 10M; | |
| client_max_body_size 100M; | |
| large_client_header_buffers 8 64k; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # PHP UpStream | |
| ## | |
| upstream php | |
| { | |
| least_conn; | |
| server unix:/var/run/php/php7.4-fpm.sock; | |
| keepalive 5; | |
| } | |
| ## | |
| # Cache Settings | |
| ## | |
| fastcgi_cache_key "$scheme$request_method$host$request_uri"; | |
| fastcgi_read_timeout 300; | |
| add_header Fastcgi-Cache $upstream_cache_status; | |
| ## | |
| # limits | |
| ## | |
| limit_req_status 403; | |
| limit_req_log_level warn; | |
| limit_req_zone $binary_remote_addr zone=api:10m rate=5r/s; | |
| limit_req_zone $binary_remote_addr zone=general:10m rate=20r/s; | |
| ## | |
| # SSL Settings | |
| ## | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; | |
| ssl_ecdh_curve X25519:P-521:P-384:P-256; | |
| ssl_dhparam /etc/ssl/dhparam.pem; | |
| ## | |
| # Optimize session cache | |
| ## | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:50m; | |
| ## | |
| # Enable 0-RTT support for TLS 1.3 | |
| ## | |
| ssl_early_data on; | |
| proxy_set_header Early-Data $ssl_early_data; | |
| ## | |
| # Disable session tickets | |
| ## | |
| ssl_session_tickets off; | |
| ## | |
| # OSCP Stapling | |
| ## | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; | |
| resolver_timeout 10; | |
| ## | |
| # Security Headers | |
| ## | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header Referrer-Policy "no-referrer-when-downgrade" always; | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none';" always; | |
| ## | |
| # Log File Location | |
| ## | |
| access_log off; | |
| error_log /var/log/nginx/error.log warn; | |
| ## | |
| # Log format Settings | |
| ## | |
| log_format '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 6; | |
| gzip_buffers 16 8k; | |
| gzip_http_version 1.1; | |
| gzip_min_length 250; | |
| gzip_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml application/xml+rss font/eot font/opentype font/otf image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| ## | |
| # Visitor IP from AWS ELB/ CloudFront / Google Cloud LB / CloudFlare | |
| ## | |
| #real_ip_header CF-Connecting-IP; | |
| real_ip_header X-Forwarded-For; | |
| set_real_ip_from 0.0.0.0/0; | |
| set_real_ip_from 103.21.244.0/22; | |
| set_real_ip_from 103.22.200.0/22; | |
| set_real_ip_from 103.31.4.0/22; | |
| set_real_ip_from 104.16.0.0/13; | |
| set_real_ip_from 104.24.0.0/14; | |
| set_real_ip_from 108.162.192.0/18; | |
| set_real_ip_from 131.0.72.0/22; | |
| set_real_ip_from 141.101.64.0/18; | |
| set_real_ip_from 162.158.0.0/15; | |
| set_real_ip_from 172.64.0.0/13; | |
| set_real_ip_from 173.245.48.0/20; | |
| set_real_ip_from 188.114.96.0/20; | |
| set_real_ip_from 190.93.240.0/20; | |
| set_real_ip_from 197.234.240.0/22; | |
| set_real_ip_from 198.41.128.0/17; | |
| set_real_ip_from 199.27.128.0/21; | |
| set_real_ip_from 2400:cb00::/32; | |
| set_real_ip_from 2606:4700::/32; | |
| set_real_ip_from 2803:f800::/32; | |
| set_real_ip_from 2405:b500::/32; | |
| set_real_ip_from 2405:8100::/32; | |
| set_real_ip_from 2c0f:f248::/32; | |
| set_real_ip_from 2a06:98c0::/29; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment