-
Notifications
You must be signed in to change notification settings - Fork 6
/
nginx.conf
134 lines (100 loc) · 4.66 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
user nginx;
worker_processes 1;
#Configure Error Logging
error_log /var/log/nginx/error.log info;
#syslog server settings for error logging uncomment and replace remote logging server endpoint below.
#error_log syslog:server=insertsyslogendpoint info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
#Configure Logging Parameters
## WebServer Example
log_format web 'Event Source Information - Server Name: "$server_name" Server Protocol: "$server_protocol" Hostname: "$hostname" Host: "$host" '
'Date and Timestamp Information - Local Time: "$time_local" ISO8601 Time: "$time_iso8601" '
'Username Information - Basic Authentication User: "$remote_user" '
'Source Address Information - Source Address:Port: "$remote_addr:$remote_port" '
'Destination Address Information - Desination Address:Port "$server_addr:$server_port " '
'Request Information - Request: "$request" HTTP Response Status: "$status" Referer: "$http_referer" Content Type: "$content_type" Body Bytes Sent: "$body_bytes_sent" User Agent: "$http_user_agent" ';
#Ensure Access Logging is On
access_log /var/log/nginx/access.log main;
#Ensure Error Logging is On
error_log /var/log/nginx/error_log.log warn;
#syslog settings for access logs
# access_log syslog:server=insertsyslogendpoint,facility=local7,tag=nginx,severity=info combined;
sendfile on;
limit_conn_zone $binary_remote_addr zone=limitperip:10m;
limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/s;
#Deny all traffic that doesn't exactly meet the requirements in other server configuration
server {
return 404;
}
#Redirect Port 80
server {
listen 80;
server_name InsertIPAddressHere InsertDnsNameHere;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
#Insert Information for your IP Address and DNS Name below or you will be blocked when trying to access the server
server_name InsertIPAddressHere InsertDnsNameHere;
#SSL Configuration
ssl_certificate /etc/nginx/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/nginx-selfsigned.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_tickets off;
#Rate Limiting
limit_req zone=ratelimit burst=10 nodelay;
limit_conn limitperip 10;
#Information Disclosure Mitigation
server_tokens off;
#Denial of service Mitigations
keepalive_timeout 10;
send_timeout 10;
client_body_timeout 10;
client_max_body_size 100K;
client_header_timeout 10;
large_client_header_buffers 2 1k;
#Set Security Headers these may change depending on use case
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'self'" always;
add_header Referrer-Policy "no-referrer" always;
add_header Strict-Transport-Security "max-age=15768000;" always;
#Restrict HTTP Methods
if ($request_method !~ ^(GET|HEAD|POST)$) {
return 444;
}
#In order to add Public Key Pinning insert the hashes of the below configuration in the parameters below
# add_header Public-Key-Pins 'pin-sha256="base64+primary==InsertPrimaryCertificateSHA256FingerPrintHere"; pin-sha256="base64+backup==InsertBackupCertificateSHA256FingerPrintHere"; max-age=5184000;
# Change the below allow parameter IP Address and uncomment both the allow and deny command in order to setup IP based restrictions.
# allow 10.0.07;
# deny all;
#Restrict hidden files
location ~ /\. { deny all; return 404; }
#Standard Web Config
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /500err.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# redirect client error pages to the static page /40x.html. This may require additional error codes be added.
error_page 400 401 402 403 404 405 418 /40x.html;
location = /40x.html {
root /usr/share/nginx/html;
}
}
}