Skip to content

Instantly share code, notes, and snippets.

@katopz
Last active April 16, 2016 14:59
Show Gist options
  • Save katopz/2f204e491fb2018b4b84f710e9109bcd to your computer and use it in GitHub Desktop.
Save katopz/2f204e491fb2018b4b84f710e9109bcd to your computer and use it in GitHub Desktop.
Optimized // $ sudo nano /etc/nginx/conf.d/default.conf // ref from https://gist.github.com/plentz/6737338
server {
listen 80 default_server;
listen [::]:80 default_server;
add_header Content-Security-Policy "default-src 'self';";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1";
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://$host$request_uri;
}
server {
listen 80;
listen [::]:80;
server_name mon.rabbot.io;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:19999/;
proxy_redirect http://localhost:19999/ https://$server_name/;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name rabbot.io www.rabbot.io;
# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
ssl_stapling on;
ssl_stapling_verify on;
# enables server-side protection from BEAST attacks
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
ssl_certificate /etc/letsencrypt/live/rabbot.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rabbot.io/privkey.pem;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
# With this shared session (of 10m), nginx will be able to handle 10 x 4000 sessions and the sessions will be valid for 1 hour.
# https://leandromoreira.com.br/2015/10/12/how-to-optimize-nginx-configuration-for-http2-tls-ssl/
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1h;
# Diffie-Hellman for TLS
# https://weakdh.org/sysadmin.html
ssl_dhparam "/etc/dhparams.pem";
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31557600;" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1";
# CSP
add_header Content-Security-Policy "default-src 'none';
script-src 'self' https: *.google-analytics.com cdn.ampproject.org;
font-src fonts.googleapis.com fonts.gstatic.com;
style-src fonts.googleapis.com 'unsafe-inline';
img-src 'self' data:;
connect-src https://www.google-analytics.com;";
# AMP
add_header Access-Control-Allow-Origin "*.ampproject.org";
add_header AMP-Access-Control-Allow-Source-Origin "https://rabbot.io";
add_header Access-Control-Expose-Headers "AMP-Access-Control-Allow-Source-Origin";
# Your favorite resolver may be used instead of the Google one below
resolver 8.8.8.8;
root /var/www/rabbot.io;
index index.html;
location '/.well-known/acme-challenge' {
root /var/www/rabbot.io;
}
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name blog.rabbot.io;
location / {
#return 301 $scheme://rabbots.github.io$request_uri;
proxy_pass http://rabbots.github.io$request_uri;
proxy_buffering off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Protocol $scheme;
}
}
server {
listen 80;
listen [::]:80;
server_name mon.rabbot.io;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://localhost:19999/;
proxy_redirect http://localhost:19999/ https://$server_name/;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment