Last active
April 16, 2016 14:59
-
-
Save katopz/2f204e491fb2018b4b84f710e9109bcd to your computer and use it in GitHub Desktop.
Optimized // $ sudo nano /etc/nginx/conf.d/default.conf // ref from https://gist.github.com/plentz/6737338
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 80 default_server; | |
listen [::]:80 default_server; | |
add_header Content-Security-Policy "default-src 'self';"; | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-Xss-Protection "1"; | |
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response. | |
return 301 https://$host$request_uri; | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name mon.rabbot.io; | |
location / { | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $host; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_pass http://localhost:19999/; | |
proxy_redirect http://localhost:19999/ https://$server_name/; | |
} | |
} | |
server { | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name rabbot.io www.rabbot.io; | |
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner) | |
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# enables server-side protection from BEAST attacks | |
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html | |
ssl_prefer_server_ciphers on; | |
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations | |
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"; | |
ssl_certificate /etc/letsencrypt/live/rabbot.io/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/rabbot.io/privkey.pem; | |
# enable session resumption to improve https performance | |
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html | |
# With this shared session (of 10m), nginx will be able to handle 10 x 4000 sessions and the sessions will be valid for 1 hour. | |
# https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/ | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 1h; | |
# Diffie-Hellman for TLS | |
# https://weakdh.org/sysadmin.html | |
ssl_dhparam "/etc/dhparams.pem"; | |
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security | |
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping | |
add_header Strict-Transport-Security "max-age=31557600;" always; | |
add_header X-Frame-Options "SAMEORIGIN" always; | |
add_header X-Content-Type-Options "nosniff" always; | |
add_header X-Xss-Protection "1"; | |
# CSP | |
add_header Content-Security-Policy "default-src 'none'; | |
script-src 'self' https: *.google-analytics.com cdn.ampproject.org; | |
font-src fonts.googleapis.com fonts.gstatic.com; | |
style-src fonts.googleapis.com 'unsafe-inline'; | |
img-src 'self' data:; | |
connect-src https://www.google-analytics.com;"; | |
# AMP | |
add_header Access-Control-Allow-Origin "*.ampproject.org"; | |
add_header AMP-Access-Control-Allow-Source-Origin "https://rabbot.io"; | |
add_header Access-Control-Expose-Headers "AMP-Access-Control-Allow-Source-Origin"; | |
# Your favorite resolver may be used instead of the Google one below | |
resolver 8.8.8.8; | |
root /var/www/rabbot.io; | |
index index.html; | |
location '/.well-known/acme-challenge' { | |
root /var/www/rabbot.io; | |
} | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
listen 443 ssl http2; | |
listen [::]:443 ssl http2; | |
server_name blog.rabbot.io; | |
location / { | |
#return 301 $scheme://rabbots.github.io$request_uri; | |
proxy_pass http://rabbots.github.io$request_uri; | |
proxy_buffering off; | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Protocol $scheme; | |
} | |
} | |
server { | |
listen 80; | |
listen [::]:80; | |
server_name mon.rabbot.io; | |
location / { | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header Host $host; | |
proxy_set_header X-NginX-Proxy true; | |
proxy_pass http://localhost:19999/; | |
proxy_redirect http://localhost:19999/ https://$server_name/; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment