ashwoods · August 31, 2016 17:53
diff --git a/cache.conf b/cache.conf
 location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
  expires 1M;
  access_log off;
  add_header Cache-Control "public";
 }

 # CSS and Javascript
 location ~* \.(?:css|js)$ {
  expires 1y;
  access_log off;
  add_header Cache-Control "public";
 }
diff --git a/example.conf b/example.conf
 # under sites-available and symlinked to sites-enabled

 upstream example {
  server unix:///tmp/example.sock;
 }

 server {
       	listen 80;
       	listen [::]:80;
       	server_name example.com;
       	return 301 https://$host$request_uri;
       	client_max_body_size 100M;
       	add_header Strict-Transport-Security "max-age=10886400; includeSubDomains; preload";

 }

 server {

  listen *:443 ssl default deferred http2;
  server_name  example.com;

  ssl_certificate      /etc/letsencrypt/live/example.com/fullchain.pem;
  ssl_certificate_key  /etc/letsencrypt/live/example.com/privkey.pem;


  error_log /var/log/demo-error.log warn;
  access_log /var/log/demo-access.log;

  autoindex off;

  client_max_body_size 100M;
  
  # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

  # OCSP Stapling ---
  # fetch OCSP records from URL in ssl_certificate and cache them
  ssl_stapling on;
  ssl_stapling_verify on;

  ## verify chain of trust of OCSP response using Root CA and Intermediate certs
  ssl_trusted_certificate /etc/ssl/private/ocsp-chain.crt;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 10s;


  location / {
    proxy_read_timeout 120;
    uwsgi_pass  demo;
    include uwsgi_params;
    uwsgi_param UWSGI_SCHEME https;
    uwsgi_param Host $host;
    uwsgi_param X-Real-IP $remote_addr;
    uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
    uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
 }

  location /static {
       	alias /opt/emperor/example.com/site-static;
  }

  location /media {
       	alias /opt/emperor/example.com/media;
  }
 }
diff --git a/nginx.conf b/nginx.conf
 user www-data;
 worker_processes 4;
 pid /run/nginx.pid;

 events {
       	worker_connections 768;
       	# multi_accept on;
 }

 http {

       	##
       	# Basic Settings
       	##

       	sendfile on;
       	tcp_nopush on;
       	tcp_nodelay on;
       	keepalive_timeout 65;
       	types_hash_max_size 2048;
       	server_tokens off;

       	# server_names_hash_bucket_size 64;
       	# server_name_in_redirect off;

       	include /etc/nginx/mime.types;
       	default_type application/octet-stream;

       	# config to don't allow the browser to render the page inside an frame or iframe
        # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
        # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
        add_header X-Frame-Options SAMEORIGIN;

        # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
        # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
        # this particular website if it was disabled by the user.
        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
        add_header X-XSS-Protection "1; mode=block";

       	##
       	# SSL Settings
       	##

       	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
       	ssl_prefer_server_ciphers on;

       	ssl_session_timeout 1d;
       	ssl_session_cache shared:SSL:50m;

       	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
       	ssl_dhparam /etc/ssl/private/dhparam.pem;

        # check mozilla configurator for the ciphers you need to support
       	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

       	##
       	# Logging Settings
       	##

       	access_log /var/log/nginx/access.log;
       	error_log /var/log/nginx/error.log;

       	##
       	# Gzip Settings
       	##

       	gzip on;
       	gzip_disable "msie6";

        
       	# gzip_vary on;
       	# gzip_proxied any;
       	# gzip_comp_level 6;
       	# gzip_buffers 16 8k;
       	# gzip_http_version 1.1;
       	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Cache
        ##
        
        include /etc/nginx/cache.conf
        
       	##
       	# Virtual Host Configs
       	##

       	include /etc/nginx/conf.d/*.conf;
       	include /etc/nginx/sites-enabled/*;
 }
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1y;
	access_log off;
	add_header Cache-Control "public";
	}
	# under sites-available and symlinked to sites-enabled

	upstream example {
	server unix:///tmp/example.sock;
	}

	server {
	listen 80;
	listen [::]:80;
	server_name example.com;
	return 301 https://$host$request_uri;
	client_max_body_size 100M;
	add_header Strict-Transport-Security "max-age=10886400; includeSubDomains; preload";

	}

	server {

	listen *:443 ssl default deferred http2;
	server_name example.com;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;


	error_log /var/log/demo-error.log warn;
	access_log /var/log/demo-access.log;

	autoindex off;

	client_max_body_size 100M;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/ssl/private/ocsp-chain.crt;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 10s;


	location / {
	proxy_read_timeout 120;
	uwsgi_pass demo;
	include uwsgi_params;
	uwsgi_param UWSGI_SCHEME https;
	uwsgi_param Host $host;
	uwsgi_param X-Real-IP $remote_addr;
	uwsgi_param X-Forwarded-For $proxy_add_x_forwarded_for;
	uwsgi_param X-Forwarded-Proto $http_x_forwarded_proto;
	}

	location /static {
	alias /opt/emperor/example.com/site-static;
	}

	location /media {
	alias /opt/emperor/example.com/media;
	}
	}
	user www-data;
	worker_processes 4;
	pid /run/nginx.pid;

	events {
	worker_connections 768;
	# multi_accept on;
	}

	http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/ssl/private/dhparam.pem;

	# check mozilla configurator for the ciphers you need to support
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";


	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Cache
	##

	include /etc/nginx/cache.conf

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}