diff --git a/headers.d/headers.conf b/headers.d/headers.conf new file mode 100644 index 000000000..fcb22b1c6 --- /dev/null +++ b/headers.d/headers.conf @@ -0,0 +1,63 @@ +############################################################################## +# _ __ _ # +# / |/ /__ _(_)__ __ __ # +# / / _ `/ / _ \\ \ / # +# /_/|_/\_, /_/_//_/_\_\ # +# __/___/ __ ___ __ ___ __ __ # +# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ # +# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ # +# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ # +# # +############################################################################## + +# ------------------------------------------------------------------------------ +# MIT License +# ------------------------------------------------------------------------------ +# Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com +# https://github.com/mitchellkrogza +# ------------------------------------------------------------------------------ +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# ------------------------------------------------------------------------------ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# ------------------------------------------------------------------------------ +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# ------------------------------------------------------------------------------ + +# -------------------------------- +# Security Headers for Nginx Sites +# -------------------------------- + +# headers.conf +# Global server headers configuration file. +# Should be included in each and every server {} block. +# These are some of the MOST important and overlooked header rules for ANY web site + +# To use this set of rules, add the include below into each server block. +# add this at the very top of your server blocks before any other location rules +# include /etc/nginx/headers.d/headers.conf; + + ## + # Add X Headers + ## + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + + ## + #Set Referrer-Policy Header + ## + + add_header Referrer-Policy "no-referrer"; diff --git a/ssl.d/globalssl.conf b/ssl.d/globalssl.conf new file mode 100644 index 000000000..d732a592f --- /dev/null +++ b/ssl.d/globalssl.conf @@ -0,0 +1,120 @@ +############################################################################## +# _ __ _ # +# / |/ /__ _(_)__ __ __ # +# / / _ `/ / _ \\ \ / # +# /_/|_/\_, /_/_//_/_\_\ # +# __/___/ __ ___ __ ___ __ __ # +# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ # +# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ # +# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ # +# # +############################################################################## + +# ------------------------------------------------------------------------------ +# MIT License +# ------------------------------------------------------------------------------ +# Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com +# https://github.com/mitchellkrogza +# ------------------------------------------------------------------------------ +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: +# ------------------------------------------------------------------------------ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. +# ------------------------------------------------------------------------------ +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. +# ------------------------------------------------------------------------------ + +# ---------------------------------------- +# Recommended SSL Settings for Nginx Sites +# ---------------------------------------- + +# Last Updated: 2019-07-04 + +# globalssl.conf +# Global ssl configuration file. +# Should be included in each and every server {} block of your https/ssl sites. +# Only use this if you know what you are doing with SSL, this is merely an example of +# good SSL settings for nginx ssl sites. +# NO SUPPORT IS OFFERED IN THIS REPO FOR SETTING UP AND RUNNING SSL +# There is lots of help for Let's Encrypt at: https://community.letsencrypt.org/ + +# To use this set of rules, add the include below into each server block. +# add this at the very top of your HTTPS server blocks before any other location rules +# include /etc/nginx/ssl.d/globalssl.conf; + + + ## + # DIFFIE HELMAN ENCRYPTION / DHE + ## + + # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits + # Requires generating your dhparam.pem + # INSTRUCTIONS: + # ------------- + # cd /etc/nginx/ssl + # sudo openssl dhparam -out dhparam.pem 4096 + # WAIT FOR IT TO FINISH - Can take a long time + + ssl_dhparam /etc/nginx/ssl/dhparam.pem; + + ## + # SSL SESSION SETTINGS + ## + + ssl_session_timeout 10m; + ssl_session_cache shared:SSL:128m; + ssl_session_tickets off; + + ## + # SSL PROTOCOL SUPPORT + # Support modern and intermediate browsers ONLY + # If you want to allow some older browsers add TLSv1 TLSv1.1 + ## + + ssl_protocols TLSv1.2 TLSv1.3; + + ## + # SSL CIPHERS + # ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/ + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers on; + + ## + # HSTS Headers + ## + + add_header Strict-Transport-Security max-age=63072000; includeSubDomains; preload; always; + + ## + # OCSP Stapling + # fetch OCSP records from URL in ssl_certificate and cache them + ## + + ssl_stapling on; + ssl_stapling_verify on; + + # Do not use resolvers for OCSP see comment in - https://scotthelme.co.uk/ocsp-stapling-speeding-up-ssl/ + # http://disq.us/url?url=http%3A%2F%2Fblog.zorinaq.com%2Fnginx-resolver-vulns%2F%3AP2dn26U8hf5EMF__e_ZIRGBpc3E&cuid=2541595 + # resolver 8.8.8.8 8.8.4.4 valid=300s; + # resolver_timeout 5s; + + ## + # HSTS(HTTP Strict Transport Security) + # https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security + ## + + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + +