public
/
docker-automatic-nginx-letsencrypt
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Add nginx config snippets.

pull/9/head
Chris Smith 8 years ago
parent
3fded7dbed
commit
26a828533e
4 changed files with 76 additions and 0 deletions
Split View Show Diff Stats
  1. 13
    0
      extra/hsts.conf
  2. 13
    0
      extra/redirect-http.conf
  3. 20
    0
      extra/security.conf
  4. 30
    0
      extra/ssl.conf

+ 13
- 0
extra/hsts.conf View File 

@@ -0,0 +1,13 @@
1 
+# Enables HTTP Strict Transport Security (HSTS) which instructs browsers to
2 
+# always request the resource over HTTPS, preventing a stripping/downgrade
3 
+# attack.
4 
+
5 
+http {
6 
+
7 
+    map $scheme $hsts_header {
8 
+        https   max-age=31536000;
9 
+    }
10 
+
11 
+    add_header Strict-Transport-Security $hsts_header;
12 
+
13 
+}

+ 13
- 0
extra/redirect-http.conf View File 

@@ -0,0 +1,13 @@
1 
+# Redirects all default HTTP traffic to HTTPS.
2 
+
3 
+server {
4 
+
5 
+    listen 80 default_server;
6 
+    listen [::]:80 default_server;
7 
+
8 
+    server_name _;
9 
+
10 
+    return 301 https://$host$request_uri;
11 
+
12 
+}
13 
+

+ 20
- 0
extra/security.conf View File 

@@ -0,0 +1,20 @@
1 
+# General security-related directives.
2 
+
3 
+http {
4 
+
5 
+    # Don't offer up information about the version of Nginx we use
6 
+    server_tokens      off;
7 
+
8 
+    # Don't allow other websites to present our content in a frame/iframe.
9 
+    # This mitigates clickjacking attacks.
10 
+    add_header         X-Frame-Options "SAMEORIGIN";
11 
+
12 
+    # Don't allow browsers to try and sniff content types. This prevents
13 
+    # malicious user-generated content being misinterpreted.
14 
+    add_header         X-Content-Type-Options "nosniff";
15 
+
16 
+    # Enable XSS protection, if browsers don't already have it enabled
17 
+    # by default.
18 
+    add_header         X-XSS-Protection "1; mode=block";
19 
+
20 
+}

+ 30
- 0
extra/ssl.conf View File 

@@ -0,0 +1,30 @@
1 
+# Values here are based on Mozilla's "Modern compatibility" configuration.
2 
+# https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
3 
+#
4 
+# NB: This configuration severely limits older browsers and configurations.
5 
+# Specifically, the following are the oldest supported versions:
6 
+#
7 
+#  * Firefox 27
8 
+#  * Chrome 30
9 
+#  * IE 11 on Windows 7
10 
+#  * Edge
11 
+#  * Opera 17
12 
+#  * Safari 9
13 
+#  * Android 5.0
14 
+#  * Java 8
15 
+#
16 
+# Older browsers or platforms won't be able to negotiate a connection.
17 
+
18 
+http {
19 
+
20 
+    ssl_protocols               TLSv1.2;
21 
+    ssl_ciphers                 "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
22 
+    ssl_prefer_server_ciphers   on;
23 
+    ssl_session_timeout         1d;
24 
+    ssl_session_cache           shared:SSL:50m;
25 
+    ssl_session_tickets         off;
26 
+    ssl_stapling                on;
27 
+    ssl_stapling_verify         on;
28 
+    resolver                    8.8.8.8;
29 
+
30 
+}

Write Preview
Loading…
Cancel
Save