NGinX sample configuration

Basic reverse proxy configuration

upstream myservers {
    server 10.10.120.10:8080;
}
server {
    listen         80 default_server;
    return         301 https://$server_name$request_uri;
}
server {
    listen 443 ssl default_server;

    # use only TLS encryption
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # specify ciphers to avoid PFS vulnerabilities
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    # self-signed certificate
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    access_log   /var/log/nginx/mysite.access.log rt_cache;
    error_log    /var/log/nginx/mysite.error.log;

    location / {
        proxy_pass http://myservers;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

XSS blocking rules

set $block_xss 0;
if ($query_string ~ "base64_(en|de)code\(.*\)") {
 set $block_xss 1;
}
if ($request_uri ~ "base64_(en|de)code\(.*\)") {
 set $block_xss 1;
}
if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
 set $block_xss 1;
}
if ($request_uri ~ "(<|%3C).*script.*(>|%3E)") {
 set $block_xss 1;
}
if ($query_string ~ "(<|%3C).*iframe.*(>|%3E)") {
 set $block_xss 1;
}
if ($request_uri ~ "(<|%3C).*iframe.*(>|%3E)") {
 set $block_xss 1;
}
if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_xss 1;
}
if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_xss 1;
}
if ($block_xss = 1) {
 return 403;
}

# iframe protection
server {
    server_name     site.com;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    
    if ($host !~* ^(site.com)$ ) {
        return 444;
    }
    ...
}