-
Notifications
You must be signed in to change notification settings - Fork 4
/
nginx.conf
298 lines (248 loc) · 11.9 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
# ----------------------------------------------------------------------------------------------
# Secure Nginx Config
# Copyright (c) 2022-2024 Esad Cetiner
#
# This configuration template is distributed under GPLv2
# Please see the included LICENSE file for full details
# ----------------------------------------------------------------------------------------------
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
load_module modules/ngx_http_headers_more_filter_module.so;
# uncomment to use CrowdSec Nginx Bouncer with Lua
# Load CrowdSec
# load_module modules/ndk_http_module.so;
# load_module modules/ngx_http_lua_module.so;
# uncomment if you use modsecurity
# If you use ModSecurity and CrowdSec then make sure you load CrowdSec FIRST
# Load ModSecurity
# load_module modules/ngx_http_modsecurity_module.so;
# uncomment to use brotli
# Load Brotli
# load_module modules/ngx_http_brotli_filter_module.so;
# load_module modules/ngx_http_brotli_static_module.so;
# Enable Jit for better regex performance
pcre_jit on;
events
{
worker_connections 16384;
multi_accept on;
use epoll;
}
# worker_rlimit_nofile = (worker_connections * 1) + 500
# worker_rlimit_nofile = (worker_connections * 2) + 500 if you use nginx as reverse proxy
worker_rlimit_nofile 33268;
http
{
##
# Basic Settings
##
server_names_hash_bucket_size 64;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Not specifying a webroot within a server block can have very severe consequences and
# potentially expose everything stored on the server to the internet, fully
# accessable for anybody with a web browser to view.
# This directive will set the default webroot to an empty webroot to avoid this miscconfiguration.
root /var/www/empty-webroot/;
# Use localhost resolver to prevent DNS spoofing attacks
# Specifying public DNS Servers within Nginx, even within your local network can result in DNS spoofing.
# Some of these issues have been fixed in Nginx, but not all.
# Try using 127.0.0.11 or 127.0.0.1 if DNS doesn't work or if you see "(111: Connection refused) while resolving" in your error.log
# This directive is required if your using CrowdSec Nginx Bouncer and connecting to a LAPI with a domain name.
# See - https://blog.zorinaq.com/nginx-resolver-vulns/
resolver 127.0.0.53;
resolver_timeout 60s;
# Redirect to HTTPS
server
{
# Listen on port 80 with IPv4 and IPv6 as default server
listen [::]:80 default_server;
listen 80 default_server;
server_name _;
# Redirect all requests to HTTPS
return 301 https://$host$request_uri;
# Log Requests to default server block
access_log /var/log/nginx/default_access.log;
error_log /var/log/nginx/default_error.log;
}
# This default server block protects against host header injection attacks by
# ensuring that an request with an invalid host header won't be sent to your application, and will instead get a forbidden error.
# If you have any server blocks listening on ports other than 443, then you'll
# have to add those ports here to ensure all ports have full coverage.
# As a side effect, you may face fewer scans by bots scanning the internet by IP address.
server
{
# Listen on port 443 with IPv4 and IPv6 as default server
listen [::]:443 ssl default_server;
listen 443 ssl default_server;
server_name _;
return 403;
# Log Requests to default server block
access_log /var/log/nginx/default_access.log;
error_log /var/log/nginx/default_error.log;
# It doesn't matter what certificate you use here, no legitimate traffic should be going to this server block.
ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
}
# VirtualHosts and configs includes
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
##
# TLS Settings
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:X448:secp256r1:secp384r1:secp521r1:sect571r1;
# uncomment and replace above if you want 100% in key exchange for ssl labs
# ssl_ecdh_curve secp384r1:secp521r1:sect571r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256;
# include /etc/nginx/snippets/chacha20-non-aes-ni.conf; # Prioritize chacha20 for clients that don't support AES-NI
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
# OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem; # <- add path to cert chain for OCSP stapling
##
# Strip Headers
##
# Hide Nginx version from error pages
server_tokens off;
# Strip headers that may leak information about your application
# such as what scripting language is used, and the version.
proxy_hide_header X-Powered-By;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-Runtime;
proxy_hide_header X-Redirect-By;
# Strip Nginx Server header
# This won't remove nginx from error pages, you'll have to
# use the hide-nginx.conf snippet to completely hide nginx.
more_set_headers "Server : ";
##
# Common Security Headers
##
# The deprecated XSS auditor was originally meant to mitigate XSS attacks in unsafe code.
# It's been found that the XSS auditor does a poor job at mitigating XSS attacks and can even introduce
# XSS vulnerabilities in otherwise safe code. The XSS auditor has been replaced by the CSP policy header,
# which provides much stronger XSS protection than the XSS auditor, and can even stop other attacks like clickjacking.
# Most browsers have removed the XSS auditor due to the aforementioned security issues, for browsers that still support the
# XSS auditor you should explicitly disable it.
# See - https://portswigger.net/research/abusing-chromes-xss-auditor-to-steal-tokens
more_set_headers "X-XSS-Protection : 0";
# Tell browsers to not guess the MIME type, this can mitigate some XSS attacks.
more_set_headers "X-Content-Type-Options : nosniff"
# Old IE 8 header, this isn't used in modern browser however it is good practise to set this value to noopen
more_set_headers "X-Download-Options : noopen";
# Legacy HTTP header, enforces same origin policy for sites that use Adobe Flash and Microsoft Silverlight
more_set_headers "X-Permitted-Cross-Domain-Policies : none"
##
# Logging Settings
##
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
gzip_min_length 1499;
gzip_disable "msie6";
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_comp_level 4;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/wasm application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml application/xml
image/bmp
image/svg+xml
image/x-icon
font/opentype
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml
application/xml+rss;
##
# Brotli Settings
##
# Uncomment to activate Brotli, make sure the Brotli module is installed and activated.
# include /etc/nginx/snippets/brotli.conf;
##
# GeoIP
##
# GeoIP (optional)
# geoip_country /usr/local/share/GeoIP/GeoIP.dat;
# geoip_city /usr/local/share/GeoIP/GeoLiteCity.dat;
##
# Performance and Cache
##
# See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
# 0-RTT with TLSv1.3 can significantly improve the performance of an initial TLS connection, especially if combined with HTTP3.
# This feature is disabled by default due to risks of replay attacks.
# See - https://blog.cloudflare.com/even-faster-connection-establishment-with-quic-0-rtt-resumption/
# Uncomment below to activate 0-RTT, make sure you are aware of the risks before activating.
# Per server block configuration is not supported.
# include /etc/nginx/snippets/0-rtt.conf;
##
# Basic DoS mitigations
# Default values here are very high so it can work well for everybody without false positives, you can fine tune rate limiting per vhost.
##
# Limit concurrent connections to 130, most browsers will open up lots of concurrent connections but will never go above 100.
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 130;
# Limit requests up to 500 per second per ip
limit_req_zone $binary_remote_addr zone=allips:10m rate=500r/s;
limit_req zone=allips burst=400 nodelay;
# Return 429 when rate limiting instead of 503
limit_req_status 429;
limit_conn_status 429;
# PHP
fastcgi_buffers 256 32k;
fastcgi_buffer_size 256k;
fastcgi_connect_timeout 4s;
fastcgi_send_timeout 120s;
fastcgi_read_timeout 120s;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 512K;
reset_timedout_connection on;
# Cache frequently accessed files
open_file_cache max=5000 inactive=240s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
# Set size limits for headers and body
client_max_body_size 20M;
client_header_buffer_size 5k;
large_client_header_buffers 2 2k;
client_body_buffer_size 32k;
# Keep timeouts low to mitigate slow loris like attacks
client_body_timeout 10;
client_header_timeout 10;
keepalive_timeout 10;
send_timeout 10;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
}