bewho · July 10, 2018 07:22
diff --git a/domain.conf b/domain.conf
 upstream domain_com {
    server unix:/var/run/muay-domain.com-php-fpm.socket;
 }

 server {
 	listen *:80;
 	server_name domain.com www.domain.com;
 	include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

 	location / {
        return 301 https://$host$request_uri;
 	}
 }

 server {
 	listen *:443 ssl http2;
 	server_name domain.com www.domain.com;
 	root /home/vhost/domain.com/public_html/;
 	index index.php index.html;

 	charset utf-8;

 	include /etc/nginx/snippets/security.conf;
 	include /etc/nginx/snippets/ssl-params.conf;
 	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
 	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
 	ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;

 	include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

 	access_log /home/vhost/domain.com/logs/domain.com-access.log combined;
 	error_log /home/vhost/domain.com/logs/domain.com-error.log error;

 	location / {
    	try_files $uri $uri/ /index.php$is_args$args;
 	}

    # Collect php-fpm static for Netdata web monitor
 	location /status {
        fastcgi_pass domain_com;
    	fastcgi_param SCRIPT_FILENAME /status;
    	include fastcgi_params;

   		access_log off;
   		allow 127.0.0.1;
 		deny all;
 	}

 	location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
 	}

 	# Feed
 	location ~* \.(?:rss|atom)$ {
 		expires 1h;
 		add_header Cache-Control "public";
 	}

 	# Media: images, icons, video, audio, HTC
 	location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
 		expires 1M;
 		access_log off;
 		add_header Cache-Control "public";
 	}

 	# CSS and Javascript
 	location ~* \.(?:css|js)$ {
 		expires 1y;
 		access_log off;
 		add_header Cache-Control "public";
 	}

 	location ~ \.php$ {
 		include fastcgi_params;
 		include snippets/fastcgi-php.conf;
 		fastcgi_buffer_size  128k;
 		fastcgi_buffers  256 16k;
 		fastcgi_busy_buffers_size  256k;
 		fastcgi_temp_file_write_size  256k;
 		fastcgi_read_timeout 36000;
 		client_max_body_size 0;
 		fastcgi_pass domain_com;  #point to upstream
 	}
 }
diff --git a/letsencrypt-acme-challenge.conf b/letsencrypt-acme-challenge.conf
 #############################################################################
 # Configuration file for Let's Encrypt ACME Challenge location
 # This file is already included in listen_xxx.conf files.
 # Do NOT include it separately!
 #############################################################################
 #
 # This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
 # on all our sites (HTTP), including all subdomains.
 # This is required by ACME Challenge (webroot authentication).
 # You can check that this location is working by placing ping.txt here:
 # /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
 # And pointing your browser to:
 # http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
 #
 # Sources:
 # https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
 #
 #############################################################################

 # Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
 # We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
 # other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
 location ^~ /.well-known/acme-challenge/ {

    # Set correct content type. According to this:
    # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
    # Current specification requires "text/plain" or no content header at all.
    # It seems that "text/plain" is a safe option.
    default_type "text/plain";

    # This directory must be the same as in /etc/letsencrypt/cli.ini
    # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
    # there to "webroot".
    # Do NOT use alias, use root! Target directory is located here:
    # /var/www/common/letsencrypt/.well-known/acme-challenge/
    root /var/www/letsencrypt;
 }

 # Hide /acme-challenge subdirectory and return 404 on all requests.
 # It is somewhat more secure than letting Nginx return 403.
 # Ending slash is important!
 location = /.well-known/acme-challenge/ {
    return 404;
 }
diff --git a/nginx.conf b/nginx.conf
 user www-data www-data;
 worker_processes auto;
 worker_rlimit_nofile 100000;
 pid /var/run/nginx.pid;

 events {
 	worker_connections 65536;
 	multi_accept on;
 	use epoll;
 }

 http {

 	##
 	# Basic Settings
 	##
 	
 	server_tokens off;
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
 	keepalive_timeout 2 2;
 	keepalive_requests 100000;
 	types_hash_max_size 2048;

 	##
 	# Tune-up
 	##
 	fastcgi_buffers 256 16k; 
 	fastcgi_buffer_size 128k; 
 	fastcgi_connect_timeout 3s; 
 	fastcgi_send_timeout 120s; 
 	fastcgi_read_timeout 120s; 
 	fastcgi_busy_buffers_size 256k; 
 	fastcgi_temp_file_write_size 256k; 
 	reset_timedout_connection on; 
 	server_names_hash_bucket_size 100;
 	
 	client_body_buffer_size 1M;
 	client_max_body_size 50m;
 	client_header_buffer_size 1k;
 	client_body_timeout 10;
 	large_client_header_buffers 4 4k;
 	output_buffers 1 32k;
 	postpone_output 1460;

 	client_header_timeout 15;
 	send_timeout 5;

 	open_file_cache max=200000 inactive=20s;
 	open_file_cache_valid 30s;
 	open_file_cache_min_uses 2;
 	open_file_cache_errors on;

 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;

 	##
 	# Logging Settings
 	##
 	
 	map $status $loggable {
        	~^[23]  0;
 		default 1;
 	} 

 	log_format compression '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"';
 	access_log off;
 	error_log /var/log/nginx/error.log crit;

 	##
 	# Gzip Settings
 	##

 	gzip on;
 	gzip_disable "MSIE [1-6]\.";
 	gzip_min_length 10240;

 	gzip_vary on;
 	gzip_proxied expired no-cache no-store private auth;
 	gzip_comp_level 6;
 	gzip_buffers 16 8k;
 	gzip_http_version 1.1;
 	gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;


 	##
 	# Virtual Host Configs
 	##

 	include /etc/nginx/conf.d/*.conf;
 	include /etc/nginx/sites-enabled/*.conf;
 }
diff --git a/security.conf b/security.conf
 server_tokens  off;

 # prevent clickjacking attacks
 add_header  X-Frame-Options SAMEORIGIN;

 # disallow circumventing declared MIME types
 add_header  X-Content-Type-Options nosniff;

 # X-XSS-Protection
 add_header  X-XSS-Protection '1; mode=block';

 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header  Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always;

 # Content Security Policy
 # add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://cdn.polyfill.io https://cdnjs.cloudflare.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self'; font-src 'self'; frame-src 'self'; object-src 'none'";

 # CORS
 add_header  'Access-Control-Allow-Origin' '*';
 add_header  'Access-Control-Allow-Credentials' 'true';
 add_header  'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
 add_header  'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
diff --git a/ssl-params.conf b/ssl-params.conf
 # from https://cipherli.st/
 # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
 # and https://mozilla.github.io/server-side-tls/ssl-config-generator/

 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_tickets off;
 ssl_stapling on;
 ssl_stapling_verify on;
 resolver 8.8.8.8 8.8.4.4 valid=300s;
 resolver_timeout 5s;

 ssl_dhparam /etc/ssl/certs/dhparam.pem;
 ssl_ecdh_curve secp384r1;
	upstream domain_com {
	server unix:/var/run/muay-domain.com-php-fpm.socket;
	}

	server {
	listen *:80;
	server_name domain.com www.domain.com;
	include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

	location / {
	return 301 https://$host$request_uri;
	}
	}

	server {
	listen *:443 ssl http2;
	server_name domain.com www.domain.com;
	root /home/vhost/domain.com/public_html/;
	index index.php index.html;

	charset utf-8;

	include /etc/nginx/snippets/security.conf;
	include /etc/nginx/snippets/ssl-params.conf;
	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/domain.com/chain.pem;

	include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

	access_log /home/vhost/domain.com/logs/domain.com-access.log combined;
	error_log /home/vhost/domain.com/logs/domain.com-error.log error;

	location / {
	try_files $uri $uri/ /index.php$is_args$args;
	}

	# Collect php-fpm static for Netdata web monitor
	location /status {
	fastcgi_pass domain_com;
	fastcgi_param SCRIPT_FILENAME /status;
	include fastcgi_params;

	access_log off;
	allow 127.0.0.1;
	deny all;
	}

	location = /robots.txt {
	allow all;
	log_not_found off;
	access_log off;
	}

	# Feed
	location ~* \.(?:rss\|atom)$ {
	expires 1h;
	add_header Cache-Control "public";
	}

	# Media: images, icons, video, audio, HTC
	location ~* \.(?:jpg\|jpeg\|gif\|png\|ico\|cur\|gz\|svg\|svgz\|mp4\|ogg\|ogv\|webm\|htc)$ {
	expires 1M;
	access_log off;
	add_header Cache-Control "public";
	}

	# CSS and Javascript
	location ~* \.(?:css\|js)$ {
	expires 1y;
	access_log off;
	add_header Cache-Control "public";
	}

	location ~ \.php$ {
	include fastcgi_params;
	include snippets/fastcgi-php.conf;
	fastcgi_buffer_size 128k;
	fastcgi_buffers 256 16k;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;
	fastcgi_read_timeout 36000;
	client_max_body_size 0;
	fastcgi_pass domain_com; #point to upstream
	}
	}
	#############################################################################
	# Configuration file for Let's Encrypt ACME Challenge location
	# This file is already included in listen_xxx.conf files.
	# Do NOT include it separately!
	#############################################################################
	#
	# This config enables to access /.well-known/acme-challenge/xxxxxxxxxxx
	# on all our sites (HTTP), including all subdomains.
	# This is required by ACME Challenge (webroot authentication).
	# You can check that this location is working by placing ping.txt here:
	# /var/www/letsencrypt/.well-known/acme-challenge/ping.txt
	# And pointing your browser to:
	# http://xxx.domain.tld/.well-known/acme-challenge/ping.txt
	#
	# Sources:
	# https://community.letsencrypt.org/t/howto-easy-cert-generation-and-renewal-with-nginx/3491
	#
	#############################################################################

	# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)
	# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel
	# other regex checks, because in our other config files have regex rule that denies access to files with dotted names.
	location ^~ /.well-known/acme-challenge/ {

	# Set correct content type. According to this:
	# https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29
	# Current specification requires "text/plain" or no content header at all.
	# It seems that "text/plain" is a safe option.
	default_type "text/plain";

	# This directory must be the same as in /etc/letsencrypt/cli.ini
	# as "webroot-path" parameter. Also don't forget to set "authenticator" parameter
	# there to "webroot".
	# Do NOT use alias, use root! Target directory is located here:
	# /var/www/common/letsencrypt/.well-known/acme-challenge/
	root /var/www/letsencrypt;
	}

	# Hide /acme-challenge subdirectory and return 404 on all requests.
	# It is somewhat more secure than letting Nginx return 403.
	# Ending slash is important!
	location = /.well-known/acme-challenge/ {
	return 404;
	}
	user www-data www-data;
	worker_processes auto;
	worker_rlimit_nofile 100000;
	pid /var/run/nginx.pid;

	events {
	worker_connections 65536;
	multi_accept on;
	use epoll;
	}

	http {

	##
	# Basic Settings
	##

	server_tokens off;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 2 2;
	keepalive_requests 100000;
	types_hash_max_size 2048;

	##
	# Tune-up
	##
	fastcgi_buffers 256 16k;
	fastcgi_buffer_size 128k;
	fastcgi_connect_timeout 3s;
	fastcgi_send_timeout 120s;
	fastcgi_read_timeout 120s;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;
	reset_timedout_connection on;
	server_names_hash_bucket_size 100;

	client_body_buffer_size 1M;
	client_max_body_size 50m;
	client_header_buffer_size 1k;
	client_body_timeout 10;
	large_client_header_buffers 4 4k;
	output_buffers 1 32k;
	postpone_output 1460;

	client_header_timeout 15;
	send_timeout 5;

	open_file_cache max=200000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	map $status $loggable {
	~^[23] 0;
	default 1;
	}

	log_format compression '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$gzip_ratio"';
	access_log off;
	error_log /var/log/nginx/error.log crit;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "MSIE [1-6]\.";
	gzip_min_length 10240;

	gzip_vary on;
	gzip_proxied expired no-cache no-store private auth;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon;


	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*.conf;
	}
	server_tokens off;

	# prevent clickjacking attacks
	add_header X-Frame-Options SAMEORIGIN;

	# disallow circumventing declared MIME types
	add_header X-Content-Type-Options nosniff;

	# X-XSS-Protection
	add_header X-XSS-Protection '1; mode=block';

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains;' always;

	# Content Security Policy
	# add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://ssl.google-analytics.com https://cdn.polyfill.io https://cdnjs.cloudflare.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self'; font-src 'self'; frame-src 'self'; object-src 'none'";

	# CORS
	add_header 'Access-Control-Allow-Origin' '*';
	add_header 'Access-Control-Allow-Credentials' 'true';
	add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
	# from https://cipherli.st/
	# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	# and https://mozilla.github.io/server-side-tls/ssl-config-generator/

	# intermediate configuration. tweak to your needs.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ecdh_curve secp384r1;