Browse Source

tweak: improve nginx config

tags/v0.75.2
Inhji Y. 4 weeks ago
parent
commit
a3b1b9f97e
1 changed files with 27 additions and 8 deletions
  1. +27
    -8
      install/tomie.conf

+ 27
- 8
install/tomie.conf View File

@@ -4,6 +4,7 @@ map $sent_http_content_type $expires {
text/css max;
application/javascript 7d;
~image/ max;
font/woff max;
}

map $http_upgrade $connection_upgrade {
@@ -24,26 +25,44 @@ server {
listen 443 http2 ssl;
listen [::]:443 http2 ssl;

server_name inhji.de;

ssl_certificate /etc/letsencrypt/live/inhji.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/inhji.de/privkey.pem;

ssl_protocols TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem; # openssl dhparam -out /etc/nginx/dhparams.pem 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_ecdh_curve secp384r1;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_session_tickets off;

# Will enforce TLS on this site and all subdomains for a year.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header Referrer-Policy no-referrer-when-downgrade;

#add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self'; img-src 'self' data: cloud.inhji.de; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";
#add_header X-Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self'; img-src 'self' data: cloud.inhji.de; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";
#add_header X-WebKit-CSP "default-src 'self'; script-src 'self' 'unsafe-inline'; object-src 'none'; style-src 'self'; img-src 'self' data: cloud.inhji.de; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";
# Used to configure the built in reflective XSS protection found in
# Internet Explorer, Chrome and Safari (Webkit)
# mode=block tells the browser to block the response if it detects an attack
# rather than sanitising the script.
add_header X-Xss-Protection "1; mode=block" always;

server_name inhji.de;
# This site cannot be framed, no matter the origin
add_header X-Frame-Options "deny" always;

# Prevents Google Chrome and Internet Explorer from trying to mime-sniff
# the content-type of a response away from the one being declared by the server.
add_header X-Content-Type-Options "nosniff" always;

# Send the origin, path, and querystring when performing a same-origin request, only send the origin
# when the protocol security level stays the same while performing a cross-origin request
# (HTTPS -> HTTPS), and send no header to any less-secure destinations (HTTPS -> HTTP).
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self'; img-src 'self' data:; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";
add_header X-Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self'; img-src 'self' data:; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";
add_header X-WebKit-CSP "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self'; img-src 'self' data:; media-src 'self'; frame-src 'none'; font-src 'self'; connect-src 'self'";

client_max_body_size 10M;
expires $expires;


Loading…
Cancel
Save