lifeofguenter · November 7, 2017 13:52
diff --git a/01-nginx.conf b/01-nginx.conf
 user www-data www-data;
 error_log /var/log/nginx/error.log;
 pid /run/nginx.pid;

 worker_processes auto;
 worker_rlimit_nofile 100000;
 pcre_jit on;

 events {
  use epoll;
  worker_connections 2048;
  multi_accept on;
 }

 http {
  include       mime.types;
  default_type  application/octet-stream;

  resolver 8.8.8.8 8.8.4.4 valid=600s;
  resolver_timeout 4s;

  # make usage of $https dynamic
  map $https $fcgi_https {
    on on;
  }

  # make usage of $scheme dynamic
  map $http_x_forwarded_proto $the_scheme {
    default $scheme;
    https https;
  }

  log_format multitenant '$remote_addr $remote_user - [$time_local] $http_host "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

  # security
  server_tokens off;

  # performance
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  access_log off;
  open_file_cache max=10000 inactive=30s;
  open_file_cache_valid 60s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  keepalive_requests 1024;
  keepalive_timeout 120;
  send_timeout 60s;
  client_header_timeout 60s;
  client_body_timeout 60s;
  client_max_body_size 100M;
  reset_timedout_connection on;

  # special munin-node vhost
  #include common/munin-node.conf;

  # vhosts
  include vhosts/*.conf;
 }
diff --git a/10-vhost.conf b/10-vhost.conf
 server {
  listen 80;
  server_name APP_DOMAIN;
  return 301 https://$host$request_uri;
 }

 server {
  listen 443 ssl http2;

  include secure-ssl.conf;
  ssl_certificate /etc/ssl/live/APP_DOMAIN/fullchain.pem;
  ssl_certificate_key /etc/ssl/live/APP_DOMAIN/privkey.pem;
  ssl_trusted_certificate /etc/ssl/live/APP_DOMAIN/chain.pem;
  ssl_dhparam /etc/ssl/live/APP_DOMAIN/dhparam.pem;

  server_name APP_DOMAIN;

  # set custom headers
  include headers.conf;

  # disable any usable /index.php request
  if ($request_uri ~* "^(.*/)index\.php(/?)(.*)") {
    return 301 https://$host/;
  }

  set $real_scheme $scheme;

  set_real_ip_from 10.0.0.0/8;
  set_real_ip_from 172.16.0.0/12;
  set_real_ip_from 192.168.0.0/16;

  real_ip_header X-Forwarded-For;
  real_ip_recursive on;

  root /app/public;

  include drop.conf;
  include assets.conf;

  # avoid dupe slashes
  merge_slashes on;
  if ($request_uri ~ "^[^?]*?//") {
    rewrite "^" $uri permanent;
  }

  location / {
    rewrite ^/(.*)/+$ /$1 permanent;
    try_files /$host$uri $uri /index.html /index.php$is_args$args;
  }

  # serve any php script
  location ~ [^/]\.php(/|$) {
    include php.conf;
  }

  # logging
  error_log /logs/error.log error;
  access_log /logs/access.log multitenant;
 }
diff --git a/20-secure-ssl.conf b/20-secure-ssl.conf
 # See: https://cipherli.st/ & https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

 ssl on;
 ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ecdh_curve secp384r1; 

 ssl_prefer_server_ciphers on;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;

 ssl_stapling on;
 ssl_stapling_verify on;

 add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
 add_header X-XSS-Protection "1; mode=block" always;
 add_header X-Content-Type-Options nosniff always;
diff --git a/30-php.conf b/30-php.conf
 fastcgi_split_path_info ^(.+\.php)(.*)$;
 try_files $uri =404;
 fastcgi_pass 127.0.0.1:9000;
 fastcgi_pass_header Authorization;
 fastcgi_index index.php;

 include fastcgi.conf;
diff --git a/35-fastcgi.conf b/35-fastcgi.conf
 fastcgi_param  HOSTNAME           $hostname;
 fastcgi_param  SERVER_NAME        $host;

 fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  QUERY_STRING       $query_string;
 fastcgi_param  REQUEST_METHOD     $request_method;
 fastcgi_param  CONTENT_TYPE       $content_type;
 fastcgi_param  CONTENT_LENGTH     $content_length;

 fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
 fastcgi_param  PATH_INFO          $fastcgi_path_info;
 fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
 fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
 fastcgi_param  REQUEST_URI        $request_uri;
 fastcgi_param  DOCUMENT_URI       $document_uri;
 fastcgi_param  DOCUMENT_ROOT      $document_root;
 fastcgi_param  SERVER_PROTOCOL    $server_protocol;
 fastcgi_param  HTTPS              $fcgi_https if_not_empty;

 fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
 fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

 fastcgi_param  REMOTE_ADDR        $remote_addr;
 fastcgi_param  REMOTE_PORT        $remote_port;
 fastcgi_param  SERVER_ADDR        $server_addr;
 fastcgi_param  SERVER_PORT        $server_port;

 # PHP only, required if PHP was built with --enable-force-cgi-redirect
 fastcgi_param  REDIRECT_STATUS    200;
diff --git a/40-assets.conf b/40-assets.conf
 # static file compression
 gzip_static on;
 gzip on;
 gzip_proxied any;
 gzip_comp_level 6;
 gzip_types
  text/richtext
  text/plain
  text/css
  text/x-script
  text/x-component
  text/x-java-source
  application/javascript
  application/x-javascript
  text/javascript
  text/js
  image/x-icon
  text/xml
  application/xml
  application/rss+xml
  application/json
  application/xhtml+xml
  font/ttf
  font/otf
  font/woff
  font/woff2
  image/svg+xml
  application/vnd.ms-fontobject
  application/ttf
  application/x-ttf
  application/otf
  application/x-otf
  application/truetype
  application/opentype
  application/x-opentype
  application/woff
  application/eot
  application/font
  application/font-woff
  application/font-sfnt;
 gzip_disable "msie6";
 gzip_vary on;

 brotli_static on;
 brotli on;
 brotli_types
  text/richtext
  text/plain
  text/css
  text/x-script
  text/x-component
  text/x-java-source
  application/javascript
  application/x-javascript
  text/javascript
  text/js
  image/x-icon
  text/xml
  application/xml
  application/rss+xml
  application/json
  application/xhtml+xml
  font/ttf
  font/otf
  font/woff
  font/woff2
  image/svg+xml
  application/vnd.ms-fontobject
  application/ttf
  application/x-ttf
  application/otf
  application/x-otf
  application/truetype
  application/opentype
  application/x-opentype
  application/woff
  application/eot
  application/font
  application/font-woff
  application/font-sfnt;
 brotli_comp_level 4;

 # static file expire
 location ~* \.(css|js|jpg|jpeg|gif|ico|png|bmp|pict|csv|doc|pdf|pls|ppt|tif|tiff|eps|ejs|swf|midi|mid|ttf|eot|woff|woff2|otf|svg|svgz|webp|docx|xlsx|xls|pptx|ps|class|jar)$ {
  expires 1y;
  add_header Cache-Control public;
  include headers.conf;

  # deprecated?
  if (-f $document_root/$host$uri) {
    rewrite ^(.*)$ /$host$1 last;
  }

  # default to frontend-controller on 404
  try_files /$host$uri $uri /index.html /index.php$is_args$args;
 }
diff --git a/50-drop.conf b/50-drop.conf
 location ~ /\.          { access_log off; log_not_found off; deny all; }
 location ~ ~$           { access_log off; log_not_found off; deny all; }
diff --git a/60-headers.conf b/60-headers.conf
 add_header X-UA-Compatible 'IE=Edge,chrome=1' always;
	user www-data www-data;
	error_log /var/log/nginx/error.log;
	pid /run/nginx.pid;

	worker_processes auto;
	worker_rlimit_nofile 100000;
	pcre_jit on;

	events {
	use epoll;
	worker_connections 2048;
	multi_accept on;
	}

	http {
	include mime.types;
	default_type application/octet-stream;

	resolver 8.8.8.8 8.8.4.4 valid=600s;
	resolver_timeout 4s;

	# make usage of $https dynamic
	map $https $fcgi_https {
	on on;
	}

	# make usage of $scheme dynamic
	map $http_x_forwarded_proto $the_scheme {
	default $scheme;
	https https;
	}

	log_format multitenant '$remote_addr $remote_user - [$time_local] $http_host "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"';

	# security
	server_tokens off;

	# performance
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	access_log off;
	open_file_cache max=10000 inactive=30s;
	open_file_cache_valid 60s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	keepalive_requests 1024;
	keepalive_timeout 120;
	send_timeout 60s;
	client_header_timeout 60s;
	client_body_timeout 60s;
	client_max_body_size 100M;
	reset_timedout_connection on;

	# special munin-node vhost
	#include common/munin-node.conf;

	# vhosts
	include vhosts/*.conf;
	}
	server {
	listen 80;
	server_name APP_DOMAIN;
	return 301 https://$host$request_uri;
	}

	server {
	listen 443 ssl http2;

	include secure-ssl.conf;
	ssl_certificate /etc/ssl/live/APP_DOMAIN/fullchain.pem;
	ssl_certificate_key /etc/ssl/live/APP_DOMAIN/privkey.pem;
	ssl_trusted_certificate /etc/ssl/live/APP_DOMAIN/chain.pem;
	ssl_dhparam /etc/ssl/live/APP_DOMAIN/dhparam.pem;

	server_name APP_DOMAIN;

	# set custom headers
	include headers.conf;

	# disable any usable /index.php request
	if ($request_uri ~* "^(./)index\.php(/?)(.)") {
	return 301 https://$host/;
	}

	set $real_scheme $scheme;

	set_real_ip_from 10.0.0.0/8;
	set_real_ip_from 172.16.0.0/12;
	set_real_ip_from 192.168.0.0/16;

	real_ip_header X-Forwarded-For;
	real_ip_recursive on;

	root /app/public;

	include drop.conf;
	include assets.conf;

	# avoid dupe slashes
	merge_slashes on;
	if ($request_uri ~ "^[^?]*?//") {
	rewrite "^" $uri permanent;
	}

	location / {
	rewrite ^/(.*)/+$ /$1 permanent;
	try_files /$host$uri $uri /index.html /index.php$is_args$args;
	}

	# serve any php script
	location ~ [^/]\.php(/\|$) {
	include php.conf;
	}

	# logging
	error_log /logs/error.log error;
	access_log /logs/access.log multitenant;
	}
	# See: https://cipherli.st/ & https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	ssl on;
	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ecdh_curve secp384r1;

	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;

	ssl_stapling on;
	ssl_stapling_verify on;

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options nosniff always;
	fastcgi_split_path_info ^(.+\.php)(.*)$;
	try_files $uri =404;
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_pass_header Authorization;
	fastcgi_index index.php;

	include fastcgi.conf;
	fastcgi_param HOSTNAME $hostname;
	fastcgi_param SERVER_NAME $host;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param QUERY_STRING $query_string;
	fastcgi_param REQUEST_METHOD $request_method;
	fastcgi_param CONTENT_TYPE $content_type;
	fastcgi_param CONTENT_LENGTH $content_length;

	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $fastcgi_path_info;
	fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
	fastcgi_param SCRIPT_NAME $fastcgi_script_name;
	fastcgi_param REQUEST_URI $request_uri;
	fastcgi_param DOCUMENT_URI $document_uri;
	fastcgi_param DOCUMENT_ROOT $document_root;
	fastcgi_param SERVER_PROTOCOL $server_protocol;
	fastcgi_param HTTPS $fcgi_https if_not_empty;

	fastcgi_param GATEWAY_INTERFACE CGI/1.1;
	fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;

	fastcgi_param REMOTE_ADDR $remote_addr;
	fastcgi_param REMOTE_PORT $remote_port;
	fastcgi_param SERVER_ADDR $server_addr;
	fastcgi_param SERVER_PORT $server_port;

	# PHP only, required if PHP was built with --enable-force-cgi-redirect
	fastcgi_param REDIRECT_STATUS 200;
	# static file compression
	gzip_static on;
	gzip on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types
	text/richtext
	text/plain
	text/css
	text/x-script
	text/x-component
	text/x-java-source
	application/javascript
	application/x-javascript
	text/javascript
	text/js
	image/x-icon
	text/xml
	application/xml
	application/rss+xml
	application/json
	application/xhtml+xml
	font/ttf
	font/otf
	font/woff
	font/woff2
	image/svg+xml
	application/vnd.ms-fontobject
	application/ttf
	application/x-ttf
	application/otf
	application/x-otf
	application/truetype
	application/opentype
	application/x-opentype
	application/woff
	application/eot
	application/font
	application/font-woff
	application/font-sfnt;
	gzip_disable "msie6";
	gzip_vary on;

	brotli_static on;
	brotli on;
	brotli_types
	text/richtext
	text/plain
	text/css
	text/x-script
	text/x-component
	text/x-java-source
	application/javascript
	application/x-javascript
	text/javascript
	text/js
	image/x-icon
	text/xml
	application/xml
	application/rss+xml
	application/json
	application/xhtml+xml
	font/ttf
	font/otf
	font/woff
	font/woff2
	image/svg+xml
	application/vnd.ms-fontobject
	application/ttf
	application/x-ttf
	application/otf
	application/x-otf
	application/truetype
	application/opentype
	application/x-opentype
	application/woff
	application/eot
	application/font
	application/font-woff
	application/font-sfnt;
	brotli_comp_level 4;

	# static file expire
	location ~* \.(css\|js\|jpg\|jpeg\|gif\|ico\|png\|bmp\|pict\|csv\|doc\|pdf\|pls\|ppt\|tif\|tiff\|eps\|ejs\|swf\|midi\|mid\|ttf\|eot\|woff\|woff2\|otf\|svg\|svgz\|webp\|docx\|xlsx\|xls\|pptx\|ps\|class\|jar)$ {
	expires 1y;
	add_header Cache-Control public;
	include headers.conf;

	# deprecated?
	if (-f $document_root/$host$uri) {
	rewrite ^(.*)$ /$host$1 last;
	}

	# default to frontend-controller on 404
	try_files /$host$uri $uri /index.html /index.php$is_args$args;
	}
	location ~ /\. { access_log off; log_not_found off; deny all; }
	location ~ ~$ { access_log off; log_not_found off; deny all; }