sunsongxp · June 9, 2018 10:34
diff --git a/gistfile1.sh b/gistfile1.sh
 # to generate your dhparam.pem file, run in the terminal
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

 # https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-ubuntu-14-04
 # to generate Basic HTTP Authentication key file
 # auth_basic "realm" will be added to HTTP response like the line below.
 # www-authenticate: Basic realm="realm"
 sudo apt install apache2-utils
 sudo htpasswd -c /etc/nginx/.htpasswd nginx

 . . .
 server_name localhost;

 location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
        # Uncomment to enable naxsi on this location
        # include /etc/nginx/naxsi.rules
        auth_basic "realm";
        auth_basic_user_file /etc/nginx/.htpasswd;
 }
 . . .

 # https://stackoverflow.com/questions/6999565/python-https-get-with-basic-authentication/7000784
 # http://docs.python-requests.org/en/latest/user/authentication/
 # Use Basic HTTP Authentication in Python
 import requests

 r = requests.get('https://my.website.com/rest/path', auth=('myusername', 'mybasicpass'))
 print(r.text)

 # Create htpasswd typped password using python:
 # https://gist.github.com/sunsongxp/e52ca2a818d567bdad7ad5727616a362
 # The htpasswd file is formatted like this:
 # username:hashed_password
 # The python script above only support CRYPT encryption, you can check below

 #  sloppysun@ubuntu:~$ htpasswd
 #  Usage:
 #  	htpasswd [-cimBdpsDv] [-C cost] passwordfile username
 #  	htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
 #
 #  	htpasswd -n[imBdps] [-C cost] username
 #  	htpasswd -nb[mBdps] [-C cost] username password
 #   -c  Create a new file.
 #   -n  Don't update file; display results on stdout.
 #   -b  Use the password from the command line rather than prompting for it.
 #   -i  Read password from stdin without verification (for script usage).
 #   -m  Force MD5 encryption of the password (default).
 #   -B  Force bcrypt encryption of the password (very secure).
 #   -C  Set the computing time used for the bcrypt algorithm
 #       (higher is more secure but slower, default: 5, valid: 4 to 31).
 #   -d  Force CRYPT encryption of the password (8 chars max, insecure).
 #   -s  Force SHA encryption of the password (insecure).
 #   -p  Do not encrypt the password (plaintext, insecure).
 #   -D  Delete the specified user.
 #   -v  Verify password for the specified user.
 #  On other systems than Windows and NetWare the '-p' flag will probably not work.
 #  The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

 # How to Change the Maximum File Post Size in Nginx 
 # Set client_max_body_size
 http {
 ......
 client_max_body_size 200M;
 ......
 }

 or

 server {
 .....
 client_max_body_size 200M;
 ......
 }

 # Other references:

 # Full Example Configuration
 # https://www.nginx.com/resources/wiki/start/topics/examples/full/
diff --git a/nginx.conf b/nginx.conf
 # read more here http://tautt.com/best-nginx-configuration-for-security/

 # don't send the nginx version number in error pages and Server header
 server_tokens off;

 # config to don't allow the browser to render the page inside an frame or iframe
 # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
 # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
 # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
 add_header X-Frame-Options SAMEORIGIN;

 # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
 # to disable content-type sniffing on some browsers.
 # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
 # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
 # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
 add_header X-Content-Type-Options nosniff;

 # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
 # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
 # this particular website if it was disabled by the user.
 # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 add_header X-XSS-Protection "1; mode=block";

 # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
 # you can tell the browser that it can only download content from the domains you explicitly allow
 # http://www.html5rocks.com/en/tutorials/security/content-security-policy/
 # https://www.owasp.org/index.php/Content_Security_Policy
 # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
 # directives for css and js(if you have inline css or js, you will need to keep it too).
 # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
 # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

 # Sets the bucket size for the server names hash tables. The default value depends on the size of the processor’s cache line.
 # server_names_hash_bucket_size 64;

 # redirect all http traffic to https
 server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name sloppysun.com *.sloppysun.com;
  # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
  return 301 https://$host$request_uri;
 }

 # https://mozilla.github.io/server-side-tls/ssl-config-generator/
 server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name sloppysun.com *.sloppysun.com;

  ssl_certificate /etc/nginx/ssl/server.crt;
  ssl_certificate_key /etc/nginx/ssl/server.key;

  # enable session resumption to improve https performance
  # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;

  # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;

  # enables server-side protection from BEAST attacks
  # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
  ssl_prefer_server_ciphers on;
  # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
  ssl_protocols TLSv1.2;
  # ciphers chosen for forward secrecy and compatibility
  # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
  ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

  # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
  # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  ssl_stapling on;
  ssl_stapling_verify on;
  # We don't need the next line to enable ssl_stapling because Nginx will can directly use ssl_certificate
  # ssl_trusted_certificate /etc/nginx/ssl/server.crt;

  # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
  # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
  # also https://hstspreload.org/
  # HSTS (ngx_http_headers_module is required) ( 31536000 seconds = 1 year)
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  # resolver 8.8.8.8 8.8.4.4;
  # ... the rest of your configuration

  # Because this 'location' block contains another 'add_header' directive,
  # we must redeclare the STS header
  # https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
  location / {
    return 200 "Hello World!";
    add_header Content-Type text/plain;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
  }
 }
	# to generate your dhparam.pem file, run in the terminal
	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

	# https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-ubuntu-14-04
	# to generate Basic HTTP Authentication key file
	# auth_basic "realm" will be added to HTTP response like the line below.
	# www-authenticate: Basic realm="realm"
	sudo apt install apache2-utils
	sudo htpasswd -c /etc/nginx/.htpasswd nginx

	. . .
	server_name localhost;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
	# Uncomment to enable naxsi on this location
	# include /etc/nginx/naxsi.rules
	auth_basic "realm";
	auth_basic_user_file /etc/nginx/.htpasswd;
	}
	. . .

	# https://stackoverflow.com/questions/6999565/python-https-get-with-basic-authentication/7000784
	# http://docs.python-requests.org/en/latest/user/authentication/
	# Use Basic HTTP Authentication in Python
	import requests

	r = requests.get('https://my.website.com/rest/path', auth=('myusername', 'mybasicpass'))
	print(r.text)

	# Create htpasswd typped password using python:
	# https://gist.github.com/sunsongxp/e52ca2a818d567bdad7ad5727616a362
	# The htpasswd file is formatted like this:
	# username:hashed_password
	# The python script above only support CRYPT encryption, you can check below

	# sloppysun@ubuntu:~$ htpasswd
	# Usage:
	# htpasswd [-cimBdpsDv] [-C cost] passwordfile username
	# htpasswd -b[cmBdpsDv] [-C cost] passwordfile username password
	#
	# htpasswd -n[imBdps] [-C cost] username
	# htpasswd -nb[mBdps] [-C cost] username password
	# -c Create a new file.
	# -n Don't update file; display results on stdout.
	# -b Use the password from the command line rather than prompting for it.
	# -i Read password from stdin without verification (for script usage).
	# -m Force MD5 encryption of the password (default).
	# -B Force bcrypt encryption of the password (very secure).
	# -C Set the computing time used for the bcrypt algorithm
	# (higher is more secure but slower, default: 5, valid: 4 to 31).
	# -d Force CRYPT encryption of the password (8 chars max, insecure).
	# -s Force SHA encryption of the password (insecure).
	# -p Do not encrypt the password (plaintext, insecure).
	# -D Delete the specified user.
	# -v Verify password for the specified user.
	# On other systems than Windows and NetWare the '-p' flag will probably not work.
	# The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

	# How to Change the Maximum File Post Size in Nginx
	# Set client_max_body_size
	http {
	......
	client_max_body_size 200M;
	......
	}

	or

	server {
	.....
	client_max_body_size 200M;
	......
	}

	# Other references:

	# Full Example Configuration
	# https://www.nginx.com/resources/wiki/start/topics/examples/full/
	# read more here http://tautt.com/best-nginx-configuration-for-security/

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

	# Sets the bucket size for the server names hash tables. The default value depends on the size of the processor’s cache line.
	# server_names_hash_bucket_size 64;

	# redirect all http traffic to https
	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name sloppysun.com *.sloppysun.com;
	# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
	return 301 https://$host$request_uri;
	}

	# https://mozilla.github.io/server-side-tls/ssl-config-generator/
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name sloppysun.com *.sloppysun.com;

	ssl_certificate /etc/nginx/ssl/server.crt;
	ssl_certificate_key /etc/nginx/ssl/server.key;

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 1d;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;
	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
	ssl_protocols TLSv1.2;
	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';

	# enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
	# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
	ssl_stapling on;
	ssl_stapling_verify on;
	# We don't need the next line to enable ssl_stapling because Nginx will can directly use ssl_certificate
	# ssl_trusted_certificate /etc/nginx/ssl/server.crt;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	# also https://hstspreload.org/
	# HSTS (ngx_http_headers_module is required) ( 31536000 seconds = 1 year)
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	# resolver 8.8.8.8 8.8.4.4;
	# ... the rest of your configuration

	# Because this 'location' block contains another 'add_header' directive,
	# we must redeclare the STS header
	# https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/
	location / {
	return 200 "Hello World!";
	add_header Content-Type text/plain;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	}
	}