forked from ioerror/duraconf
/
nginx.HIGH_COMPAT.conf
143 lines (123 loc) · 5.82 KB
/
nginx.HIGH_COMPAT.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
#
# This is an example of an high security yet very compatible HTTPS proxy server :
#
# - This configuration listens on TCP port 80 but does a 301 redirect on port 443.
# - This configuration only allows TLSv1.2, TLSv1.1 & TLSv1.0 protocol.
# - The server mostly allows modes that provide perfect forward secrecy
# through a compatible 256 bit prime curve or strong DH parameters, except in the
# case of older clients where no PFS is available;
# - This configuration allows AES ciphers, using SHA384, SHA256 or SHA1 HMACs, and forbids
# DES or 3DES ciphers because of known weaknesses.
# Anonymous and/or weaker cipher modes are disabled.
# - This configuation does include the HSTS header to ensure that
# users do not accidentally connect to an insecure HTTP service after their
# first visit.
# - This configuration includes HPKP basic parameters, pins to be
# generated by you.
# - This configuration includes CSP parameters insuring even static elements
# are loaded through TLS.
# - This configuration includes OCSP stapling.
#
#
#
# Supported Server Cipher(s):
#
# Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-GCM-SHA384
# Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-GCM-SHA256
# Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-GCM-SHA384
# Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-GCM-SHA256
# Accepted TLSv1.2 256 bits DHE-RSA-AES256-GCM-SHA384
# Accepted TLSv1.2 128 bits DHE-RSA-AES128-GCM-SHA256
# Accepted TLSv1.2 256 bits ECDHE-ECDSA-AES256-SHA384
# Accepted TLSv1.2 128 bits ECDHE-ECDSA-AES128-SHA256
# Accepted TLSv1.2 256 bits ECDHE-RSA-AES256-SHA384
# Accepted TLSv1.2 128 bits ECDHE-RSA-AES128-SHA256
# Accepted TLSv1.2 256 bits DHE-RSA-AES256-SHA256
# Accepted TLSv1.2 128 bits DHE-RSA-AES128-SHA256
# Accepted TLSv1.0 256 bits ECDHE-ECDSA-AES256-SHA
# Accepted TLSv1.0 128 bits ECDHE-ECDSA-AES128-SHA
# Accepted TLSv1.0 256 bits ECDHE-RSA-AES256-CBC-SHA
# Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-CBC-SHA
# Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
# Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
#
# This configuration offers a larger compatibility cipher suite list at the cost
# of PFS for XP clients & PFS level for DHE suites to support Java 6+.
# (Java 6+, XP/IE7+, Chrome/FF ESR, Android 2.3+, Safari 5.1.9+/iOS 6.0.1+)
#
# This configuration requires a modern nginx server linked against openssl, it
# binds to TCP port 443 ONLY, it only logs errors, drops privs from
# root to www-data, and disables the server signature.
#
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
# multi_accept on;
}
http {
include /etc/nginx/mime.types;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
tcp_nodelay on;
#gzip on;
#gzip_disable "MSIE [1-6]\.(?!.*SV1)";
proxy_cache_key $scheme$host$request_uri;
proxy_cache_path /var/cache/nginx/cached levels=2:2
keys_zone=global:64m inactive=60m max_size=1G;
server {
listen 1.2.3.4:80;
return 301 https://$host$request_uri;
}
server {
listen 1.2.3.4:443 default ssl;
ssl_certificate /etc/nginx/example.com.crt;
ssl_certificate_key /etc/nginx/example.com.key;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# Generated using openssl dhparam -check -5 1024 -out /etc/nginx/params.1024
# If no Java6 clients connect, size should be set to 4096 since it defines overall security level.
ssl_dhparam /etc/nginx/params.1024;
# Only strong ciphers in PFS mode (no WinXP/IE7 compat)
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:!aNULL:!eNULL:!LOW:!DES:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
resolver 8.8.8.8;
ssl_stapling on;
ssl_trusted_certificate /etc/nginx/example.com.crt;
# For ssl client certificates, edit ssl_client_certificate
# (specifies a file containing permissable CAs) and uncomment the
# following:
#ssl_verify_client optional;
#ssl_client_certificate /etc/ssl/ca.crt
server_name example.com;
location / {
# Uncomment to route requests through Tor.
# proxy_pass http://127.0.0.1:8118;
# proxy_set_header Host $server_id.onion;
# proxy_read_timeout 2000;
if ($host ~* (.*).example.com) {
set $server_id $1;
}
# 31536000 == 1 year
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
add_header X-Frame-Options DENY;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# This header defines a Content Security Policy (CSP) on supported browsers
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.w3.org/TR/CSP/
# https://www.owasp.org/index.php/Content_Security_Policy
add_header Content-Security-Policy "default-src 'self' https: wss:;";
proxy_cache global;
proxy_cache_valid any 1h;
proxy_cache_use_stale updating;
}
}
}