/nginx.vim

Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
Raw Blame History
167 lines (142 sloc) 5.67 KB
# vim: ft=nginx
snippet l80
listen [::]:80 ipv6only=off;
$0
# Listen statements when using multiple http server blocks
snippet l80-multi
listen [::]:80 default_server;
listen 80 default_server;
$0
snippet l443
listen [::]:443 ipv6only=off ssl http2 default_server;
$0
# Listen statements when using multiple ssl server blocks
snippet l443-multi
listen [::]:443 ssl http2 default_server;
listen 443 ssl http2 default_server;
$0
# Cipher suites are taken and adapted from Mozilla's recommendations
# https://wiki.mozilla.org/Security/Server_Side_TLS
#
# Paranoid mode
snippet ciphers-paranoid
# Paranoid ciphers, 256bit minimum, prefer ChaCha20/ Poly1305, bad compatibility
# No Android 5+6 (4.4 works), Chrome < 51, Firefox < 49, IE < 11, Java 6-8, GoogleBot
ssl_protocols TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
$0
# Mozilla modern
snippet ciphers-modern
# High-security ciphers (elliptic curves), less compatibility
# No IE < 10, OpenSSL-0.9.8, Safari < 7, Android < 4.4
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
$0
# Mozilla intermediate (Removed DES for more security)
snippet ciphers-compat
# Medium-security ciphers with good compatibility (Weak: SHA)
# No IE on WinXP
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
$0
# Mozilla old (Removed DSS, HIGH, SEED for more security)
snippet ciphers-low
# Low-security ciphers (Weak: DES, SHA)
# No IE6, Java6
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:DES-CBC3-SHA:!SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!KRB5-DES-CBC3-SHA:!SRP:!DSS';
$0
snippet ssl-options
# SSL certificate
ssl_certificate /etc/nginx/certs/${4:www.example.com}.crt;
ssl_certificate_key /etc/nginx/certs/${5:www.example.com}.key;
# ssl_dhparam /etc/nginx/certs/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_stapling off;
ssl_stapling_verify off;
ssl_session_cache 'shared:SSL:10m';
ssl_session_tickets off;
# Enable HSTS (1 year) and some security options
add_header Strict-Transport-Security 'max-age=31536000 includeSubDomains; preload;';
$0
snippet security-headers
add_header X-Frame-Options 'DENY';
add_header X-Content-Type-Options 'nosniff';
add_header X-Frame-Options 'SAMEORIGIN';
add_header X-XSS-Protection '1; mode=block';
add_header X-Robots-Tag 'none';
add_header X-Download-Options 'noopen';
add_header X-Permitted-Cross-Domain-Policies 'none';
$0
snippet robots.txt
# Tell bots to not index this site
location /robots.txt {
default_type text/plain;
return 200 'User-agent: *\nDisallow: /\n';
}
$0
snippet basic-auth
auth_basic 'Restricted';
auth_basic_user_file ${1:/etc/nginx/htpasswd};
$0
snippet proxy_pass
proxy_pass_header Date;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://${1:backend};
$0
snippet php-fpm
location ~ \.php$ {
include fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_pass ${1:127.0.0.1:9000};
}
$0
snippet php-uwsgi
location ~ \.php$ {
include uwsgi_params;
uwsgi_max_temp_file_size 4096m;
uwsgi_modifier1 14;
uwsgi_read_timeout 900;
uwsgi_send_timeout 900;
uwsgi_pass ${1:unix:///run/uwsgi/php.sock};
}
$0
snippet redirect-ssl
location / {
return 301 https://$http_host$request_uri;
}
$0
snippet redirect-other
# Redirect other requested hosts
if ($host != '${1:DOMAIN}') {
return 301 https://${2:DOMAIN}$request_uri;
}
$0
snippet letsencrypt
listen [::]:80 ipv6only=off;
# Serve well-known path for letsencrypt
location /.well-known/acme-challenge {
root /etc/nginx/certs/acme;
default_type text/plain;
}
location / {
return 301 https://$http_host$request_uri;
}
$0
snippet cut-trailing-slash
rewrite ^/(.*)/$ $scheme://$http_host:$server_port/$1 permanent;
$0
snippet location
location ${1:/} {
${0:${VISUAL}}
}
snippet server
server {
${0:${VISUAL}}
}