Created
August 21, 2016 17:50
-
-
Save jamescaldow/f49f5cf2aa4f47c5f60e76710685786e to your computer and use it in GitHub Desktop.
Nginx config file with SSL/TLS, security, speed and Cloudflare optimisations. (Work in progress)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For more information on configuration, see: | |
# * Official English Documentation: http://nginx.org/en/docs/ | |
# * Official Russian Documentation: http://nginx.org/ru/docs/ | |
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log; | |
pid /run/nginx.pid; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
log_format cf_custom '$http_cf_connecting_ip - $remote_user [$time_local] ' | |
'"$request" $status $body_bytes_sent ' | |
'"$http_referer" "$http_user_agent" ' | |
'$http_cf_ray'; | |
access_log /var/log/nginx/access.log cf_custom; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
index index.htm index.html index.php; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
# Load modular configuration files from the /etc/nginx/conf.d directory. | |
# See http://nginx.org/en/docs/ngx_core_module.html#include | |
# for more information. | |
include /etc/nginx/conf.d/*.conf; | |
# Don't send the nginx version number in error pages and Server headers. | |
server_tokens off; | |
# Load configuration files for the default server block. | |
include /etc/nginx/default.d/*.conf; | |
# Prevent the browser from rendering the page inside a frame or iframe to avoid clickjacking. | |
# http://en.wikipedia.org/wiki/Clickjacking | |
# If you need to allow [i]frames, you can use SAMEORIGIN or set the URI the ALLOW-FROM URI. | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
add_header X-Frame-Options SAMEORIGIN; | |
# When serving user-supplied content, include an X-Content-Type-Options: nosniff header along with the Content-Type: header | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# Currently supported in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
# with Content Security Policy (CSP) enabled(and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), | |
# you can tell the browser that it can only download content from the domains you explicitly allow | |
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
# https://www.owasp.org/index.php/Content_Security_Policy | |
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
# directives for css and js(if you have inline css or js, you will need to keep it too). | |
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com; img-src 'self' https://ssl.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://themes.googleusercontent.com; frame-src 'none'; object-src 'none'"; | |
# Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
resolver 8.8.8.8 8.8.4.4 valid=300s ipv6=off; # Google DNS | |
resolver_timeout 30s; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
ssl_trusted_certificate /path/to/keyfile/staple.pem; | |
# Cloudflare IP blocks to allow for the restoration of original visitor IP address in log files, instead of the reverse | |
# proxy address of the Cloudflare servers. | |
# An updated list of Cloudflare addresses can be found here: https://www.cloudflare.com/ips/ | |
set_real_ip_from 103.21.244.0/22; | |
set_real_ip_from 103.22.200.0/22; | |
set_real_ip_from 103.31.4.0/22; | |
set_real_ip_from 104.16.0.0/12; | |
set_real_ip_from 108.162.192.0/18; | |
set_real_ip_from 131.0.72.0/22; | |
set_real_ip_from 141.101.64.0/18; | |
set_real_ip_from 162.158.0.0/15; | |
set_real_ip_from 172.64.0.0/13; | |
set_real_ip_from 173.245.48.0/20; | |
set_real_ip_from 188.114.96.0/20; | |
set_real_ip_from 190.93.240.0/20; | |
set_real_ip_from 197.234.240.0/22; | |
set_real_ip_from 198.41.128.0/17; | |
set_real_ip_from 199.27.128.0/21; | |
set_real_ip_from 2400:cb00::/32; | |
set_real_ip_from 2606:4700::/32; | |
set_real_ip_from 2803:f800::/32; | |
set_real_ip_from 2405:b500::/32; | |
set_real_ip_from 2405:8100::/32; | |
set_real_ip_from 2c0f:f248::/32; | |
set_real_ip_from 2a06:98c0::/29; | |
# Use any of the following two: | |
real_ip_header CF-Connecting-IP; | |
# real_ip_header X-Forwarded_For | |
server { | |
listen 443 ssl default deferred; | |
listen [::]:443; | |
server_name .example.com; | |
ssl_certificate /path/to/keyfile/example.com.pem; | |
ssl_certificate_key /path/to/keyfile/example.com.key; | |
# Enable session resumption to improve https performance | |
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 5m; | |
# Diffie-Hellman parameter for DHE ciphersuites. Use 4096 bits. | |
ssl_dhparam /path/to/keyfile/dhparams.pem; | |
# Enables server-side protection from BEAST attacks | |
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
ssl_prefer_server_ciphers on; | |
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# Ciphers chosen for forward secrecy and compatibility | |
# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html | |
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | |
# Config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload;"; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name .example.com; | |
root /usr/share/nginx/html; | |
return 301 https://$host$request_uri; | |
location / { | |
} | |
error_page 404 /404.html; | |
location = /40x.html { | |
} | |
error_page 500 502 503 504 /50x.html; | |
location = /50x.html { | |
} | |
} | |
} |
It would, but this gist was created 6 years ago and hasn't been touched since. Cloudflare DNS wasn't released publicly until 2018, so wasn't available when I created this. If I were doing this now I would definitely use Cloudflare DNS servers as you say.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I don't understand, wouldn't using Cloudflare's own DNS resolver 1.1.1.1 be better when using Cloudflare?