vikarti.anatra/nginx-ultimate-bad-bot-blocker
1
0
Fork 0
mirror of https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker.git synced 2025-09-04 19:50:17 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ADD ssl.d/globalssl.conf [ci skip]

Browse source 
Recommended SSL settings for all nginx sites
This commit is contained in:
Mitchell Krog 2019-07-04 11:29:44 +02:00
parent 7097566f79
commit 887213a17a
No known key found for this signature in database
GPG key ID: C243C388553EDE5D
2 changed files with 183 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
headers.d/headers.conf Normal file
View file

@ -0,0 +1,63 @@
##############################################################################
# _ __ _ #
# / |/ /__ _(_)__ __ __ #
# / / _ `/ / _ \\ \ / #
# /_/|_/\_, /_/_//_/_\_\ #
# __/___/ __ ___ __ ___ __ __ #
# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
# #
##############################################################################
# ------------------------------------------------------------------------------
# MIT License
# ------------------------------------------------------------------------------
# Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com
# https://github.com/mitchellkrogza
# ------------------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# ------------------------------------------------------------------------------
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# ------------------------------------------------------------------------------
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# ------------------------------------------------------------------------------
# --------------------------------
# Security Headers for Nginx Sites
# --------------------------------
# headers.conf
# Global server headers configuration file.
# Should be included in each and every server {} block.
# These are some of the MOST important and overlooked header rules for ANY web site
# To use this set of rules, add the include below into each server block.
# add this at the very top of your server blocks before any other location rules
# include /etc/nginx/headers.d/headers.conf;
##
# Add X Headers
##
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
##
#Set Referrer-Policy Header
##
add_header Referrer-Policy "no-referrer";

120
ssl.d/globalssl.conf Normal file
View file

@ -0,0 +1,120 @@
##############################################################################
# _ __ _ #
# / |/ /__ _(_)__ __ __ #
# / / _ `/ / _ \\ \ / #
# /_/|_/\_, /_/_//_/_\_\ #
# __/___/ __ ___ __ ___ __ __ #
# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
# #
##############################################################################
# ------------------------------------------------------------------------------
# MIT License
# ------------------------------------------------------------------------------
# Copyright (c) 2017 Mitchell Krog - mitchellkrog@gmail.com
# https://github.com/mitchellkrogza
# ------------------------------------------------------------------------------
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# ------------------------------------------------------------------------------
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# ------------------------------------------------------------------------------
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# ------------------------------------------------------------------------------
# ----------------------------------------
# Recommended SSL Settings for Nginx Sites
# ----------------------------------------
# Last Updated: 2019-07-04
# globalssl.conf
# Global ssl configuration file.
# Should be included in each and every server {} block of your https/ssl sites.
# Only use this if you know what you are doing with SSL, this is merely an example of
# good SSL settings for nginx ssl sites.
# NO SUPPORT IS OFFERED IN THIS REPO FOR SETTING UP AND RUNNING SSL
# There is lots of help for Let's Encrypt at: https://community.letsencrypt.org/
# To use this set of rules, add the include below into each server block.
# add this at the very top of your HTTPS server blocks before any other location rules
# include /etc/nginx/ssl.d/globalssl.conf;
##
# DIFFIE HELMAN ENCRYPTION / DHE
##
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
# Requires generating your dhparam.pem
# INSTRUCTIONS:
# -------------
# cd /etc/nginx/ssl
# sudo openssl dhparam -out dhparam.pem 4096
# WAIT FOR IT TO FINISH - Can take a long time
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
##
# SSL SESSION SETTINGS
##
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:128m;
ssl_session_tickets off;
##
# SSL PROTOCOL SUPPORT
# Support modern and intermediate browsers ONLY
# If you want to allow some older browsers add TLSv1 TLSv1.1
##
ssl_protocols TLSv1.2 TLSv1.3;
##
# SSL CIPHERS
# ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers on;
##
# HSTS Headers
##
add_header Strict-Transport-Security max-age=63072000; includeSubDomains; preload; always;
##
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
##
ssl_stapling on;
ssl_stapling_verify on;
# Do not use resolvers for OCSP see comment in - https://scotthelme.co.uk/ocsp-stapling-speeding-up-ssl/
# http://disq.us/url?url=http%3A%2F%2Fblog.zorinaq.com%2Fnginx-resolver-vulns%2F%3AP2dn26U8hf5EMF__e_ZIRGBpc3E&cuid=2541595
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
##
# HSTS(HTTP Strict Transport Security)
# https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
##
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;