nokimaro · September 23, 2021 12:00
diff --git a/general.conf b/general.conf
 # favicon.ico
 location = /favicon.ico {
    log_not_found off;
    access_log    off;
 }

 # robots.txt
 location = /robots.txt {
    log_not_found off;
    access_log    off;
 }

 # assets, media
 location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
    expires    7d;
    access_log off;
 }

 # svg, fonts
 location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
    add_header Access-Control-Allow-Origin "*";
    expires    7d;
    access_log off;
 }

 # gzip
 gzip            on;
 gzip_vary       on;
 gzip_proxied    any;
 gzip_comp_level 6;
 gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
diff --git a/letsencrypt.conf b/letsencrypt.conf
 # ACME-challenge
 location ^~ /.well-known/acme-challenge/ {
    root /var/www/_letsencrypt;
 }
diff --git a/nginx.conf b/nginx.conf
 user                 www-data;
 pid                  /run/nginx.pid;
 worker_processes     auto;
 worker_rlimit_nofile 65535;

 events {
    multi_accept       on;
    worker_connections 65535;
    use epoll;
 }

 http {
    charset              utf-8;
    sendfile             on;
    tcp_nopush           on;
    tcp_nodelay          on;
    server_tokens        off;
    log_not_found        off;
    types_hash_max_size  2048;
    client_max_body_size 128M;

    # MIME
    include              mime.types;
    default_type         application/octet-stream;

    # Logging
    access_log           /var/log/nginx/access.log;
    error_log            /var/log/nginx/error.log warn;

    # SSL
    ssl_session_timeout  1d;
    ssl_session_cache    shared:SSL:10m;
    ssl_session_tickets  off;

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam          /etc/nginx/dhparam.pem;

    # Mozilla Intermediate configuration
    ssl_protocols        TLSv1.2 TLSv1.3;
    ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
 	  #ssl_prefer_server_ciphers on;

    # OCSP Stapling
    ssl_stapling         on;
    ssl_stapling_verify  on;
    resolver             1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
    resolver_timeout     2s;

    # Load configs
    include              /etc/nginx/conf.d/*.conf;
    include              /etc/nginx/sites-enabled/*;
 }
diff --git a/php_fastcgi.conf b/php_fastcgi.conf
 # split path
 fastcgi_split_path_info       ^(.+\.php)(/.+)$;
 set                           $_fastcgi_path_info $fastcgi_path_info;

 # 404
 try_files                     $fastcgi_script_name =404;

 # default fastcgi_params
 include                       fastcgi_params;

 # fastcgi settings
 fastcgi_pass                  unix:/var/run/php/php7.3-fpm.sock;
 fastcgi_index                 index.php;
 fastcgi_buffers               8 16k;
 fastcgi_buffer_size           32k;

 # fastcgi params
 fastcgi_param DOCUMENT_ROOT   $realpath_root;
 fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
 fastcgi_param PATH_INFO       $_fastcgi_path_info;
 # fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
diff --git a/security.conf b/security.conf
 # security headers
 # add_header X-Frame-Options           "SAMEORIGIN" always;
 # add_header X-XSS-Protection          "1; mode=block" always;
 # add_header X-Content-Type-Options    "nosniff" always;
 # add_header Referrer-Policy           "no-referrer-when-downgrade" always;
 # add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

 # . files
 location ~ /\.(?!well-known) {
    deny all;
 }
diff --git a/site.example.conf b/site.example.conf
 # HTTP redirect
 server {
    listen      80;
    listen      [::]:80;
    server_name site.example;
    include    letsencrypt.conf;

    location / {
        return 301 https://site.example$request_uri;
    }
 }

 server {
    listen                  443 ssl http2;
    listen                  [::]:443 ssl http2;
    server_name             site.example;
    root                    /var/www/site.example;
    include    letsencrypt.conf;
    index index.html index.php;

    # SSL
    ssl_certificate         /etc/letsencrypt/live/site.example/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/site.example/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/site.example/chain.pem;

    # security
    include                 security.conf;

    # additional config
    include                 general.conf;
    
    # handle .php
    location ~ [^/]\.php(/|$) {
        include php_fastcgi.conf;
    }
 }
	# favicon.ico
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# robots.txt
	location = /robots.txt {
	log_not_found off;
	access_log off;
	}

	# assets, media
	location ~* \.(?:css(\.map)?\|js(\.map)?\|jpe?g\|png\|gif\|ico\|cur\|heic\|webp\|tiff?\|mp3\|m4a\|aac\|ogg\|midi?\|wav\|mp4\|mov\|webm\|mpe?g\|avi\|ogv\|flv\|wmv)$ {
	expires 7d;
	access_log off;
	}

	# svg, fonts
	location ~* \.(?:svgz?\|ttf\|ttc\|otf\|eot\|woff2?)$ {
	add_header Access-Control-Allow-Origin "*";
	expires 7d;
	access_log off;
	}

	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
	# ACME-challenge
	location ^~ /.well-known/acme-challenge/ {
	root /var/www/_letsencrypt;
	}
	user www-data;
	pid /run/nginx.pid;
	worker_processes auto;
	worker_rlimit_nofile 65535;

	events {
	multi_accept on;
	worker_connections 65535;
	use epoll;
	}

	http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 128M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# Logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# Mozilla Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	#ssl_prefer_server_ciphers on;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;

	# Load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# split path
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	set $_fastcgi_path_info $fastcgi_path_info;

	# 404
	try_files $fastcgi_script_name =404;

	# default fastcgi_params
	include fastcgi_params;

	# fastcgi settings
	fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
	fastcgi_index index.php;
	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;

	# fastcgi params
	fastcgi_param DOCUMENT_ROOT $realpath_root;
	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
	fastcgi_param PATH_INFO $_fastcgi_path_info;
	# fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
	# security headers
	# add_header X-Frame-Options "SAMEORIGIN" always;
	# add_header X-XSS-Protection "1; mode=block" always;
	# add_header X-Content-Type-Options "nosniff" always;
	# add_header Referrer-Policy "no-referrer-when-downgrade" always;
	# add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	# . files
	location ~ /\.(?!well-known) {
	deny all;
	}
	# HTTP redirect
	server {
	listen 80;
	listen [::]:80;
	server_name site.example;
	include letsencrypt.conf;

	location / {
	return 301 https://site.example$request_uri;
	}
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name site.example;
	root /var/www/site.example;
	include letsencrypt.conf;
	index index.html index.php;

	# SSL
	ssl_certificate /etc/letsencrypt/live/site.example/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/site.example/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/site.example/chain.pem;

	# security
	include security.conf;

	# additional config
	include general.conf;

	# handle .php
	location ~ [^/]\.php(/\|$) {
	include php_fastcgi.conf;
	}
	}