Last active
December 16, 2017 16:27
-
-
Save knowncolor/4bfdebf3e328ce4b1868 to your computer and use it in GitHub Desktop.
Nginx configuration file with improved security and optimized for the Raspberry Pi.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user www-data; | |
| worker_processes 2; | |
| pid /var/run/nginx.pid; | |
| events { | |
| worker_connections 1024; | |
| } | |
| http { | |
| # Basic Settings | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| types_hash_max_size 2048; | |
| server_tokens off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # config to don't allow the browser to render the page inside an frame or iframe | |
| # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
| # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
| # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
| add_header X-Frame-Options DENY; | |
| # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
| # to disable content-type sniffing on some browsers. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
| # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
| # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
| add_header X-Content-Type-Options nosniff; | |
| # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
| # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
| # this particular website if it was disabled by the user. | |
| # https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
| add_header X-XSS-Protection "1; mode=block"; | |
| # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), | |
| # you can tell the browser that it can only download content from the domains you explicitly allow | |
| # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ | |
| # https://www.owasp.org/index.php/Content_Security_Policy | |
| # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' | |
| # directives for css and js(if you have inline css or js, you will need to keep it too). | |
| # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful | |
| add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' img-src 'self' style-src 'self' 'unsafe-inline' font-src 'self' object-src 'none'"; | |
| # gzip compression | |
| gzip on; | |
| gzip_static on; | |
| gzip_disable "msie6"; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 3; | |
| gzip_buffers 16 8k; | |
| gzip_http_version 1.1; | |
| gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml rss text/javascript text/mathml application/atom application/xhtml image/svg xml; | |
| # Logging Settings | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| # DDOS defence | |
| client_header_timeout 10; | |
| client_body_timeout 10; | |
| keepalive_timeout 10 10; | |
| send_timeout 10; | |
| # Virtual Host Configs | |
| include /etc/nginx/fastcgi.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment