Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
158 lines (130 sloc) 9.02 KB
server {
listen 80;
server_name 46.227.71.123;
more_set_headers "Content-Security-Policy form-action 'none'; default-src 'none'; base-uri 'none'; referrer no-referrer; reflected-xss block";
return 301 https://swehack.org;
}
server {
listen 80;
more_clear_headers 'Server';
more_clear_headers 'Connection';
more_clear_headers 'Content-length:';
more_clear_headers 'Content-Type:';
more_clear_headers 'Date';
more_set_headers 'Connection: Close';
more_set_headers 'Content-length: 0';
more_set_headers 'Cache-Control: no-cache, no-store';
more_set_headers "Content-Security-Policy form-action 'none'; default-src 'none'; base-uri 'none'; referrer no-referrer; reflected-xss block";
add_header suborigin $rnd;
server_name swehack.org www.swehack.org swehack.org. www.swehack.org.;
return 301 https://swehack.org$request_uri;
}
server {
listen 443 ssl;
server_name swehack.org;
root /var/www/2;
index index.php;
error_page 404 /404.php;
ssl_certificate_key /etc/letsencrypt/live/www.swehack.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/www.swehack.org/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.swehack.org/fullchain.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_ecdh_curve secp384r1;
ssl_stapling on;
ssl_stapling_verify on;
resolver 77.66.108.93 193.183.98.154;
more_set_headers 'Strict-Transport-Security max-age=31556926; includeSubDomains; preload';
more_set_headers 'X-XSS-Protection 1; mode=block';
more_set_headers 'X-Frame-Options DENY';
more_set_headers 'X-Content-Type-Options nosniff';
more_set_headers 'X-Permitted-Cross-Domain-Policies master-only';
more_set_headers "Content-Security-Policy img-src 'self' ; script-src 'self'; connect-src 'self'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self'; frame-ancestors 'none'; base-uri https://swehack.org; upgrade-insecure-requests; block-all-mixed-content; referrer origin; reflected-xss filter; require-sri-for script style; cookie-scope host secure";
more_set_headers 'Referrer-Policy origin';
more_set_headers 'Public-Key-Pins pin-sha256="GQ/38ieosy4Hgvze+nufhtM5rrOkdIU5fiK9qtUojo8="; pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="z6cuswA6E1vgFkCjUsbEYo0Lf3aP8M8YOvwkoiGzDCo="; max-age=2592000; preload';
add_header Server swehack.org;
access_log off;
error_log /dev/null;
location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
deny all;
internal;
}
location ~* \.(?:jpg|jpeg|gif|png|ico|svg|css|js|woff2|woff)$ {
more_set_headers "Content-Security-Policy default-src 'none'; referrer origin; upgrade-insecure-requests; block-all-mixed-content";
more_set_headers "Vary Accept-Encoding";
more_set_headers "Cache-Control max-time=86400, public, immutable";
more_set_headers "suborigin static";
}
location /tack {
more_set_headers "Content-Security-Policy img-src 'self'; script-src 'none'; connect-src 'none'; form-action 'self'; font-src 'self'; manifest-src 'none'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'";
add_header suborigin $rnd;
index index.html;
}
location ~* /masters {
include /etc/nginx/php.conf;
more_set_headers "Content-Security-Policy img-src 'self'; script-src 'unsafe-inline'; connect-src 'none'; form-action 'self'; font-src 'self'; manifest-src 'none'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'";
more_set_headers "suborigin: static";
index index.php;
}
location ~ /viewonline\.php$ {
return 404;
}
location ~ ucp\.php {
include /etc/nginx/php.conf;
more_clear_headers 'Content-Security-Policy';
more_set_headers "Content-Security-Policy default-src 'none' ; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' ; font-src 'self' ; connect-src 'none' ; media-src 'none' ; object-src 'none' ; child-src 'none' ; frame-ancestors 'none' ; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; manifest-src 'self' ; referrer no-referrer";
## THESE ARE FOR WRITING PM'S. EVERYTHING WITH THE "COMPOSE"-PARAMETER MEANS WRITING A PM
if ($args ~ i=pm&mode=compose) {
more_set_headers "Content-Security-Policy default-src 'none' ; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self'; font-src 'self' ; connect-src 'none' ; media-src 'none' ; object-src 'none' ; child-src 'none' ; frame-ancestors 'none'";
}
if ($args ~ i=ucp_pm) {
return 301 /ucp.php?i=pm;
}
if ($args ~* mode=logout&sid=) {
more_set_headers "Clear-Site-Data: cache, cookies, storage";
}
## THESE ARE FOR THE LOGIN & REGISTER. NOTE: mode=register NEVER HAS SID BUT LOGIN DOES
if ($args ~* mode=register) {
more_set_headers "Content-Security-Policy img-src 'self'; script-src 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self'; base-uri 'self'; referrer origin; reflected-xss block; require-sri-for script style";
}
if ($args ~* mode=login) {
more_set_headers "Content-Security-Policy img-src 'self'; script-src 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'self'; media-src 'none'; default-src 'none'; style-src 'self'; base-uri 'self'; referrer origin; reflected-xss block; require-sri-for script style";
add_header suborigin $rnd;
expires 365d;
add_header Cache-Control "public, immutable";
}
}
location ~ /adm/ {
include /etc/nginx/php.conf;
more_clear_headers "Content-Security-Policy";
more_set_headers "Content-Security-Policy: img-src 'self' ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline';";
more_set_headers "suborigin: static";
}
location ~ (viewtopic\.php$) {
include /etc/nginx/php.conf;
more_clear_headers "Content-Security-Policy";
more_set_headers "Content-Security-Policy: img-src https://i.imgur.com:443/ 'self'; script-src 'self' 'unsafe-inline'; connect-src 'none'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline'; base-uri https://swehack.org; upgrade-insecure-requests; block-all-mixed-content; referrer origin; reflected-xss block; require-sri-for script style";
}
location ~ (posting\.php$) {
include /etc/nginx/php.conf;
more_clear_headers "Content-Security-Policy";
more_set_headers "Content-Security-Policy: img-src https://i.imgur.com:443/ 'self'; script-src 'self' 'unsafe-inline' ; connect-src 'none'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline'; base-uri https://swehack.org; upgrade-insecure-requests; block-all-mixed-content; referrer origin; reflected-xss block; require-sri-for script style";
}
location ~ /memberlist\.php {
include /etc/nginx/php.conf;
more_clear_headers "Content-Security-Policy";
more_set_headers "Content-Security-Policy: img-src 'self' ; script-src 'self' 'unsafe-inline'; connect-src 'self'; form-action 'self'; font-src 'self'; manifest-src 'self'; child-src 'none'; media-src 'none'; default-src 'none'; style-src 'self' 'unsafe-inline'";
}
location ~ viewforum\.php$ {
include /etc/nginx/php.conf;
more_clear_headers "Content-Security-Policy";
more_set_headers "Content-Security-Policy default-src 'none' ; script-src 'none'; style-src 'self'; img-src 'self' ; font-src 'self' ; connect-src 'none' ; media-src 'none' ; object-src 'none' ; child-src 'none' ; frame-ancestors 'none' ; form-action 'self'; upgrade-insecure-requests; block-all-mixed-content; reflected-xss block; manifest-src 'self' ; referrer origin";
}
location ~ \.php$ {
include /etc/nginx/php.conf;
}
}