Documentation formatting and reviewing (#232)

No code changes, some config reordering
This commit is contained in:
Pete Cooper 2019-05-15 17:38:05 +01:00 committed by Léo Colombaro
parent c73d1efb60
commit 67c54c53f1
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
27 changed files with 182 additions and 191 deletions

View File

@ -64,14 +64,14 @@ This repository has the following structure:
* **`conf.d/`** * **`conf.d/`**
This directory should contain all of the server definitions. This directory should contain all of the `server` definitions.
Except if they are dot prefixed or non .conf extension, all files in this Except if they are dot prefixed or non `.conf` extension, all files in this
folder **are** loaded automatically. folder **are** loaded automatically.
* **`templates` folder** * **`templates` folder**
Files in this folder contain a `server{}` template for secure and non-secure hosts. Files in this folder contain a `server` template for secure and non-secure hosts.
They are intended to be copied in the `conf.d` folder with all `example.com` They are intended to be copied in the `conf.d` folder with all `example.com`
occurrences changed to the target host. occurrences changed to the target host.
@ -92,8 +92,8 @@ This repository has the following structure:
* **`location/`** * **`location/`**
Files in this folder contain one or more location directives. They are intended Files in this folder contain one or more `location` directives. They are intended
to be loaded in the server context (or, in a nested location block). to be loaded in the `server` context (or, in a nested `location` block).
* **`mime.types`** * **`mime.types`**

View File

@ -6,8 +6,8 @@
# #
# If no default server is defined, Nginx will use the first found server. # If no default server is defined, Nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown # To prevent host header attacks, or other potential problems when an unknown
# servername is used in a request, it's recommended to drop the request # server name is used in a request, it's recommended to drop the request
# returning 444 "no response". # returning 444 "No Response".
server { server {
listen [::]:443 ssl http2 default_server; listen [::]:443 ssl http2 default_server;

View File

@ -6,12 +6,12 @@
# #
# If no default server is defined, Nginx will use the first found server. # If no default server is defined, Nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown # To prevent host header attacks, or other potential problems when an unknown
# servername is used in a request, it's recommended to drop the request # server name is used in a request, it's recommended to drop the request
# returning 444 "no response". # returning 444 "No Response".
# #
# (1) In production, only secure hosts should be used (all `no-ssl` disabled). # (1) In production, only secure hosts should be used (all `no-ssl` disabled).
# If so, redirect first ANY request to a secure connexion before handling it # If so, redirect first ANY request to a secure connection before handling
# even if the host is unknown. # it, even if the host is unknown.
# #
# https://observatory.mozilla.org/faq/ # https://observatory.mozilla.org/faq/

View File

@ -10,10 +10,9 @@
# (!) Do not use this without understanding the consequences. # (!) Do not use this without understanding the consequences.
# This will permit access from any other website. # This will permit access from any other website.
# Instead of using this file, consider using a specific rule such as
# allowing access based on (sub)domain:
# #
# Instead of using this file, consider using a specific rule such as: # add_header Access-Control-Allow-Origin "subdomain.example.com";
#
# Allow access based on [sub]domain:
# add_header Access-Control-Allow-Origin "subdomain.example.com";
add_header Access-Control-Allow-Origin $cors; add_header Access-Control-Allow-Origin $cors;

View File

@ -4,10 +4,9 @@
# Allow cross-origin access to the timing information for all resources. # Allow cross-origin access to the timing information for all resources.
# #
# If a resource isn't served with a `Timing-Allow-Origin` header that # If a resource isn't served with a `Timing-Allow-Origin` header that would
# would allow its timing information to be shared with the document, # allow its timing information to be shared with the document, some of the
# some of the attributes of the `PerformanceResourceTiming` object will # attributes of the `PerformanceResourceTiming` object will be set to zero.
# be set to zero.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/ # https://www.w3.org/TR/resource-timing/

View File

@ -9,8 +9,8 @@
# #
# (!) Starting with Internet Explorer 11, document modes are deprecated. # (!) Starting with Internet Explorer 11, document modes are deprecated.
# If your business still relies on older web apps and services that were # If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to # designed for older versions of Internet Explorer, you might want to consider
# consider enabling `Enterprise Mode` throughout your company. # enabling `Enterprise Mode` throughout your company.
# #
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode # https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/ # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/

View File

@ -2,17 +2,17 @@
# | File access | # | File access |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Block access to all hidden files and directories with the exception of # Block access to all hidden files and directories with the exception of the
# the visible content from within the `/.well-known/` hidden directory. # visible content from within the `/.well-known/` hidden directory.
# #
# These types of files usually contain user preferences or the preserved # These types of files usually contain user preferences or the preserved state
# state of a utility, and can include rather private places like, for # of a utility, and can include rather private places like, for example, the
# example, the `.git` or `.svn` directories. # `.git` or `.svn` directories.
# #
# The `/.well-known/` directory represents the standard (RFC 5785) path # The `/.well-known/` directory represents the standard (RFC 5785) path prefix
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`, # for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible # `/.well-known/keybase.txt`), and therefore, access to its visible content
# content should not be blocked. # should not be blocked.
# #
# https://www.mnot.net/blog/2010/04/07/well-known # https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785 # https://tools.ietf.org/html/rfc5785
@ -25,17 +25,16 @@ location ~* /\.(?!well-known\/) {
# Block access to files that can expose sensitive information. # Block access to files that can expose sensitive information.
# #
# By default, block access to backup and source files that may be # By default, block access to backup and source files that may be left by some
# left by some text editors and can pose a security risk when anyone # text editors and can pose a security risk when anyone has access to them.
# has access to them.
# #
# https://feross.org/cmsploit/ # https://feross.org/cmsploit/
# #
# (!) Update the `location` regular expression from below to # (!) Update the `location` regular expression from below to include any files
# include any files that might end up on your production server and # that might end up on your production server and can expose sensitive
# can expose sensitive information about your website. These files may # information about your website. These files may include: configuration files,
# include: configuration files, files that contain metadata about the # files that contain metadata about the project (e.g.: project dependencies),
# project (e.g.: project dependencies), build scripts, etc.. # build scripts, etc..
location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all; deny all;

View File

@ -2,11 +2,11 @@
# | Filename-based cache busting | # | Filename-based cache busting |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# If you're not using a build process to manage your filename version # If you're not using a build process to manage your filename version revving,
# revving, you might want to consider enabling the following directives # you might want to consider enabling the following directives.
# #
# To understand why this is important and even a better solution than # To understand why this is important and even a better solution than using
# using something like `*.css?v231`, please see: # something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ # https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ { location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {

View File

@ -2,8 +2,8 @@
# | Character encodings | # | Character encodings |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Serve all resources labeled as `text/html` or `text/plain` # Serve all resources labeled as `text/html` or `text/plain` with the media type
# with the media type `charset` parameter set to `UTF-8`. # `charset` parameter set to `UTF-8`.
# #
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
@ -12,7 +12,7 @@ charset utf-8;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Update charset_types to match updated mime.types. # Update charset_types to match updated mime.types.
# text/html is always included by charset module. # `text/html` is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
# #
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types

View File

@ -5,12 +5,11 @@
# Mitigate the risk of cross-site scripting and other content-injection # Mitigate the risk of cross-site scripting and other content-injection
# attacks. # attacks.
# #
# This can be done by setting a `Content Security Policy` which # This can be done by setting a `Content Security Policy` which whitelists
# whitelists trusted sources of content for your website. # trusted sources of content for your website.
# #
# There is no policy that fits all websites, you will have to modify # There is no policy that fits all websites, you will have to modify the
# the `Content-Security-Policy` directives in the example depending # `Content-Security-Policy` directives in the example depending on your needs.
# on your needs.
# #
# To make your CSP implementation easier, you can use an online CSP header # To make your CSP implementation easier, you can use an online CSP header
# generator such as: # generator such as:

View File

@ -3,14 +3,14 @@
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# A web application uses HTTPS and a URL-based session identifier. # A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other # The web application might wish to link to HTTPS resources on other web
# web sites without leaking the user's session identifier in the URL. # sites without leaking the user's session identifier in the URL.
# #
# This can be done by setting a `Referrer Policy` which # This can be done by setting a `Referrer Policy` which whitelists trusted
# whitelists trusted sources of content for your website. # sources of content for your website.
# #
# To check your referrer policy, you can use an online service # To check your referrer policy, you can use an online service such as:
# such as: https://securityheaders.io/. # https://securityheaders.io/.
# #
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/ # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

View File

@ -2,8 +2,7 @@
# | Server software information | # | Server software information |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Prevent Nginx from sending in the `Server` response header its # Prevent Nginx from sending its version number in the "Server" response header.
# exact version number.
# #
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens # https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens

View File

@ -4,14 +4,13 @@
# Force client-side SSL redirection. # Force client-side SSL redirection.
# #
# If a user types `example.com` in their browser, even if the server # If a user types `example.com` in their browser, even if the server redirects
# redirects them to the secure version of the website, that still leaves # them to the secure version of the website, that still leaves a window of
# a window of opportunity (the initial HTTP connection) for an attacker # opportunity (the initial HTTP connection) for an attacker to downgrade or
# to downgrade or redirect the request. # redirect the request.
# #
# The following header ensures that browser will ONLY connect to your # The following header ensures that browser will ONLY connect to your server
# server via HTTPS, regardless of what the users type in the browser's # via HTTPS, regardless of what the users type in the browser's address bar.
# address bar.
# #
# (!) Be aware that this, once published, is not revokable and you must ensure # (!) Be aware that this, once published, is not revokable and you must ensure
# being able to serve the site via SSL for the duration you've specified # being able to serve the site via SSL for the duration you've specified
@ -25,9 +24,11 @@
# (1) If you want to submit your site for HSTS preload (2) you must # (1) If you want to submit your site for HSTS preload (2) you must
# * ensure the `includeSubDomains` directive to be present # * ensure the `includeSubDomains` directive to be present
# * the `preload` directive to be specified # * the `preload` directive to be specified
# * the `max-age` to be at least 31536000 seconds (1 year) according to the current status. # * the `max-age` to be at least 31536000 seconds (1 year) according to the
# current status.
# #
# It is also advised (3) to only serve the HSTS header via a secure connection. # It is also advised (3) to only serve the HSTS header via a secure
# connection.
# #
# (2) https://hstspreload.org/ # (2) https://hstspreload.org/
# (3) https://tools.ietf.org/html/rfc6797#section-7.2 # (3) https://tools.ietf.org/html/rfc6797#section-7.2

View File

@ -4,10 +4,10 @@
# Prevent some browsers from MIME-sniffing the response. # Prevent some browsers from MIME-sniffing the response.
# #
# This reduces exposure to drive-by download attacks and cross-origin # This reduces exposure to drive-by download attacks and cross-origin data
# data leaks, and should be left uncommented, especially if the server # leaks, and should be left uncommented, especially if the server is serving
# is serving user-uploaded content or content that could potentially be # user-uploaded content or content that could potentially be treated as
# treated as executable by the browser. # executable by the browser.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/

View File

@ -4,28 +4,27 @@
# Protect website against clickjacking. # Protect website against clickjacking.
# #
# The example below sends the `X-Frame-Options` response header with # The example below sends the `X-Frame-Options` response header with the value
# the value `DENY`, informing browsers not to display the content of # `DENY`, informing browsers not to display the content of the web page in any
# the web page in any frame. # frame.
# #
# This might not be the best setting for everyone. You should read # This might not be the best setting for everyone. You should read about the
# about the other two possible values the `X-Frame-Options` header # other two possible values the `X-Frame-Options` header field can have:
# field can have: `SAMEORIGIN` and `ALLOW-FROM`. # `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1. # https://tools.ietf.org/html/rfc7034#section-2.1.
# #
# Keep in mind that while you could send the `X-Frame-Options` header # Keep in mind that while you could send the `X-Frame-Options` header for all
# for all of your websites pages, this has the potential downside that # of your websites pages, this has the potential downside that it forbids even
# it forbids even non-malicious framing of your content (e.g.: when # non-malicious framing of your content (e.g.: when users visit your website
# users visit your website using a Google Image Search results page). # using a Google Image Search results page).
# #
# Nonetheless, you should ensure that you send the `X-Frame-Options` # Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# header for all pages that allow a user to make a state-changing # all pages that allow a user to make a state-changing operation (e.g: pages
# operation (e.g: pages that contain one-click purchase links, checkout # that contain one-click purchase links, checkout or bank-transfer confirmation
# or bank-transfer confirmation pages, pages that make permanent # pages, pages that make permanent configuration changes, etc.).
# configuration changes, etc.).
# #
# Sending the `X-Frame-Options` header can also protect your website # Sending the `X-Frame-Options` header can also protect your website against
# against more than just clickjacking attacks: # more than just clickjacking attacks.
# https://cure53.de/xfo-clickjacking.pdf. # https://cure53.de/xfo-clickjacking.pdf.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

View File

@ -1,36 +1,34 @@
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# | Cross-Site Scripting (XSS) Protection | # | Reflected Cross-Site Scripting (XSS) attacks |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# Protect website reflected Cross-Site Scripting (XSS) attacks. # Protect website reflected Cross-Site Scripting (XSS) attacks.
# #
# (1) Try to re-enable the cross-site scripting (XSS) filter built # (1) Try to re-enable the cross-site scripting (XSS) filter built into most
# into most web browsers. # web browsers.
# #
# The filter is usually enabled by default, but in some cases it # The filter is usually enabled by default, but in some cases it may be
# may be disabled by the user. However, in Internet Explorer for # disabled by the user. However, in Internet Explorer for example, it can be
# example, it can be re-enabled just by sending the # re-enabled just by sending the `X-XSS-Protection` header with the value
# `X-XSS-Protection` header with the value of `1`. # of `1`.
# #
# (2) Prevent web browsers from rendering the web page if a potential # (2) Prevent web browsers from rendering the web page if a potential reflected
# reflected (a.k.a non-persistent) XSS attack is detected by the # (a.k.a non-persistent) XSS attack is detected by the filter.
# filter.
# #
# By default, if the filter is enabled and browsers detect a # By default, if the filter is enabled and browsers detect a reflected XSS
# reflected XSS attack, they will attempt to block the attack # attack, they will attempt to block the attack by making the smallest
# by making the smallest possible modifications to the returned # possible modifications to the returned web page.
# web page.
# #
# Unfortunately, in some browsers (e.g.: Internet Explorer), # Unfortunately, in some browsers (e.g.: Internet Explorer), this default
# this default behavior may allow the XSS filter to be exploited, # behavior may allow the XSS filter to be exploited. Therefore, it's better
# thereby, it's better to inform browsers to prevent the rendering # to inform browsers to prevent the rendering of the page altogether,
# of the page altogether, instead of attempting to modify it. # instead of attempting to modify it.
# #
# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities # https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
# #
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are
# you are taking all possible measures to prevent XSS attacks, the # taking all possible measures to prevent XSS attacks, the most obvious
# most obvious being: validating and sanitizing your website's inputs. # being: validating and sanitizing your website's inputs.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/ # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/

View File

@ -2,8 +2,8 @@
# | Certificate files | # | Certificate files |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# This default SSL certificate will be served whenever the client lacks # This default SSL certificate will be served whenever the client lacks support
# support for SNI (Server Name Indication). # for SNI (Server Name Indication).
# Make it a symlink to the most important certificate you have, so that # Make it a symlink to the most important certificate you have, so that
# users of IE 8 and below on WinXP can see your main site without SSL errors. # users of IE 8 and below on WinXP can see your main site without SSL errors.
# #

View File

@ -2,10 +2,10 @@
# | Online Certificate Status Protocol stapling | # | Online Certificate Status Protocol stapling |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# OCSP is a lightweight, only one record to help clients verify the # OCSP is a lightweight, only one record to help clients verify the validity of
# validity of the server certificate. # the server certificate.
# OCSP stapling allows the server to send its cached OCSP record during # OCSP stapling allows the server to send its cached OCSP record during the TLS
# the TLS handshake, without the need of 3rd party OCSP responder. # handshake, without the need of 3rd party OCSP responder.
# #
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8 # https://tools.ietf.org/html/rfc6066#section-8
@ -29,6 +29,6 @@ resolver
# (2) # (2)
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
# (3) # (3)
# 216.146.35.35 216.146.36.36 # 216.146.35.35 216.146.36.36
valid=60s; valid=60s;
resolver_timeout 2s; resolver_timeout 2s;

View File

@ -2,13 +2,13 @@
# | SSL policy - Deprecated | # | SSL policy - Deprecated |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# For services that don't need compatibility with legacy clients # For services that don't need compatibility with legacy clients (mostly WinXP),
# (mostly WinXP), but still need to support a wide range of clients, # but still need to support a wide range of clients, this configuration is
# this configuration is recommended. # recommended.
# #
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. # Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
# If you need to support older browsers (IE6) you may need to add # If you need to support older browsers (IE6) you may need to add SSLv3 to the
# SSLv3 to the list of protocols. # list of protocols.
# #
# Based on intermediate profile recommended by Mozilla. # Based on intermediate profile recommended by Mozilla.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/ # https://mozilla.github.io/server-side-tls/ssl-config-generator/

View File

@ -2,16 +2,16 @@
# | SSL policy - Intermediate | # | SSL policy - Intermediate |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# For services that don't need backward compatibility, the parameters # For services that don't need backward compatibility, the parameters below
# below provide a higher level of security. # provide a higher level of security.
# #
# (!) This policy enforces a strong SSL configuration, which may raise # (!) This policy enforces a strong SSL configuration, which may raise errors
# errors with old clients. # with old clients.
# If a more compatible profile is required, use the intermediate policy. # If a more compatible profile is required, use the intermediate policy.
# #
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# to be weak and potentially vulnerable but are required to support # and potentially vulnerable but are required to support Microsoft Edge
# Microsoft Edge and Safari. # and Safari.
# https://safecurves.cr.yp.to/ # https://safecurves.cr.yp.to/
# #
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

View File

@ -2,9 +2,8 @@
# | SSL policy - Modern | # | SSL policy - Modern |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# For services that want to be on the bleeding edge, the parameters # For services that want to be on the bleeding edge, the parameters below
# below sacrifice compatibility for the highest level of security # sacrifice compatibility for the highest level of security and performance.
# and performance.
# #
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1 # (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed. # to be installed.
@ -27,8 +26,8 @@
# $ssl_early_data variable should be used: # $ssl_early_data variable should be used:
# proxy_set_header Early-Data $ssl_early_data; # proxy_set_header Early-Data $ssl_early_data;
# #
# The application should return response code 425 for anything that # The application should return response code 425 "Too Early" for anything
# could contain user supplied data. # that could contain user supplied data.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
# #

View File

@ -13,14 +13,14 @@
# Default is 75s # Default is 75s
# #
# (3) SSL buffer size # (3) SSL buffer size
# Set 1400 bytes to fit in one MTU # Set 1400 bytes to fit in one MTU.
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
# #
# (4) Disable session tickets # (4) Disable session tickets
# Session tickets keys are not auto-rotated. Only a HUP / restart # Session tickets keys are not auto-rotated. Only a HUP / restart will do
# will do so and when a restart is performed the previous key is # so and when a restart is performed the previous key is lost, which resets
# lost, which resets all previous sessions. # all previous sessions.
# Only enable session tickets if you setup a manual rotation mechanism. # Only enable session tickets if you set up a manual rotation mechanism.
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
# #

View File

@ -2,29 +2,29 @@
# | Cache file-descriptors | # | Cache file-descriptors |
# ---------------------------------------------------------------------- # ----------------------------------------------------------------------
# This tells Nginx to cache open file handles, "not found" errors and # This tells Nginx to cache open file handles, "Not Found" errors and
# metadata about files and their permissions. # metadata about files and their permissions.
# #
# Based on these cached metadata, Nginx can immediately begin sending # Based on these cached metadata, Nginx can immediately begin sending data when
# data when a popular file is requested, and will also know to # a popular file is requested, and will also know to immediately send a 404 if a
# immediately send a 404 if a file is missing on disk, and so on. # file is missing on disk, and so on.
# #
# (!) It also means that the server won't react immediately to changes # (!) It also means that the server won't react immediately to changes on disk,
# on disk, which may be undesirable. # which may be undesirable.
# As only metadata are cached, edited files may be truncated until # As only metadata are cached, edited files may be truncated until the cache
# the cache is refreshed. # is refreshed.
# https://github.com/h5bp/server-configs-nginx/issues/203 # https://github.com/h5bp/server-configs-nginx/issues/203
# #
# In the below configuration, inactive files are released from the cache # In the below configuration, inactive files are released from the cache after
# after 20 seconds, whereas active (recently requested) files are # 20 seconds, whereas active (recently requested) files are re-validated every
# re-validated every 30 seconds. # 30 seconds.
# Descriptors will not be cached unless they are used at least 2 times # Descriptors will not be cached unless they are used at least 2 times within
# within 20 seconds (the inactive time). # 20 seconds (the inactive time).
# A maximum of the 1000 most recently used file descriptors can be # A maximum of the 1000 most recently used file descriptors can be cached at
# cached at any time. # any time.
# #
# Production servers with stable file collections will definitely want # Production servers with stable file collections will definitely want to enable
# to enable the cache. # the cache.
# #
# https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache # https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache

View File

@ -4,9 +4,8 @@
# Serve resources with far-future expiration date. # Serve resources with far-future expiration date.
# #
# (!) If you don't control versioning with filename-based # (!) If you don't control versioning with filename-based cache busting, you
# cache busting, you should consider lowering the cache times # should consider lowering the cache times to something like one week.
# to something like one week.
# #
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires

View File

@ -9,14 +9,14 @@
gzip on; gzip on;
# Compression level (1-9). # Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about # 5 is a perfect compromise between size and CPU usage, offering about 75%
# 75% reduction for most ASCII files (almost identical to level 9). # reduction for most ASCII files (almost identical to level 9).
# Default: 1 # Default: 1
gzip_comp_level 5; gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much # Don't compress anything that's already small and unlikely to shrink much if at
# if at all (the default is 20 bytes, which is bad as that usually leads to # all (the default is 20 bytes, which is bad as that usually leads to larger
# larger files after gzipping). # files after gzipping).
# Default: 20 # Default: 20
gzip_min_length 256; gzip_min_length 256;
@ -33,39 +33,39 @@ gzip_proxied any;
gzip_vary on; gzip_vary on;
# Compress all output labeled with one of the following MIME-types. # Compress all output labeled with one of the following MIME-types.
# text/html is always compressed by gzip module. # `text/html` is always compressed by gzip module.
# Default: text/html # Default: text/html
gzip_types gzip_types
application/atom+xml application/atom+xml
application/geo+json
application/javascript application/javascript
application/json application/json
application/ld+json application/ld+json
application/manifest+json application/manifest+json
application/rdf+xml
application/rss+xml application/rss+xml
application/geo+json
application/vnd.ms-fontobject application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json application/x-web-app-manifest+json
application/xhtml+xml application/xhtml+xml
application/xml application/xml
application/rdf+xml
font/otf font/otf
application/wasm
image/bmp image/bmp
image/svg+xml image/svg+xml
text/cache-manifest text/cache-manifest
text/calendar
text/css text/css
text/javascript text/javascript
text/plain
text/markdown text/markdown
text/plain
text/vcard text/vcard
text/calendar
text/vnd.rim.location.xloc text/vnd.rim.location.xloc
text/vtt text/vtt
text/x-component text/x-component
text/x-cross-domain-policy; text/x-cross-domain-policy;
# This should be turned on if you are going to have pre-compressed copies (.gz) of # This should be turned on if you are going to have pre-compressed copies (.gz)
# static files available. If not it should be left off as it will cause extra I/O # of static files available. If not it should be left off as it will cause extra
# for the check. It is best if you enable this in a location{} block for # I/O for the check. It is best if you enable this in a `location` block for a
# a specific directory, or on an individual server{} level. # specific directory, or on an individual `server` level.
# gzip_static on; # gzip_static on;

View File

@ -122,6 +122,7 @@ types {
application/xhtml+xml xhtml; application/xhtml+xml xhtml;
application/xslt+xml xsl; application/xslt+xml xsl;
application/zip zip; application/zip zip;
text/calendar ics;
text/css css; text/css css;
text/csv csv; text/csv csv;
text/html htm html shtml; text/html htm html shtml;
@ -129,7 +130,6 @@ types {
text/mathml mml; text/mathml mml;
text/plain txt; text/plain txt;
text/vcard vcard vcf; text/vcard vcard vcf;
text/calendar ics;
text/vnd.rim.location.xloc xloc; text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad; text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml; text/vnd.wap.wml wml;

View File

@ -7,8 +7,8 @@
# https://en.wikipedia.org/wiki/Principle_of_least_privilege # https://en.wikipedia.org/wiki/Principle_of_least_privilege
user www-data; user www-data;
# Sets the worker threads to the number of CPU cores available in the system for best performance. # Sets the worker threads to the number of CPU cores available in the system for
# Should be > the number of CPU cores. # best performance. Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections # Maximum number of connections = worker_processes * worker_connections
# Default: 1 # Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes # https://nginx.org/en/docs/ngx_core_module.html#worker_processes
@ -20,13 +20,14 @@ worker_processes auto;
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile # https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192; worker_rlimit_nofile 8192;
# Provides the configuration file context in which the directives # Provides the configuration file context in which the directives that affect
# that affect connection processing are specified. # connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events # https://nginx.org/en/docs/ngx_core_module.html#events
events { events {
# If you need more connections than this, you start optimizing your OS. # If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. # That's probably the point at which you hire people who are smarter than you
# as this is *a lot* of requests.
# Should be < worker_rlimit_nofile. # Should be < worker_rlimit_nofile.
# Default: 512 # Default: 512
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections # https://nginx.org/en/docs/ngx_core_module.html#worker_connections
@ -35,7 +36,7 @@ events {
} }
# Log errors and warnings to this file # Log errors and warnings to this file
# This is only used when you don't override it on a server{} level # This is only used when you don't override it on a `server` level
# Default: logs/error.log error # Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log # https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn; error_log /var/log/nginx/error.log warn;
@ -47,10 +48,10 @@ pid /var/run/nginx.pid;
http { http {
# Hide nginx version information. # Hide Nginx version information.
include h5bp/security/server_software_information.conf; include h5bp/security/server_software_information.conf;
# Specify MIME types for files. # Specify media (MIME) types for files.
include h5bp/media_types/media_types.conf; include h5bp/media_types/media_types.conf;
# Set character encodings. # Set character encodings.
@ -63,7 +64,7 @@ http {
'"$http_user_agent" "$http_x_forwarded_for"'; '"$http_user_agent" "$http_x_forwarded_for"';
# Log access to this file # Log access to this file
# This is only used when you don't override it on a server{} level # This is only used when you don't override it on a `server` level
# Default: logs/access.log combined # Default: logs/access.log combined
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log main; access_log /var/log/nginx/access.log main;
@ -75,17 +76,16 @@ http {
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 20s; keepalive_timeout 20s;
# Speed up file transfers by using sendfile() to copy directly # Speed up file transfers by using `sendfile()` to copy directly between
# between descriptors rather than using read()/write(). # descriptors rather than using `read()`/`write()``.
# For performance reasons, on FreeBSD systems w/ ZFS # For performance reasons, on FreeBSD systems w/ ZFS this option should be
# this option should be disabled as ZFS's ARC caches # disabled as ZFS's ARC caches frequently used files in RAM by default.
# frequently used files in RAM by default.
# Default: off # Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on; sendfile on;
# Don't send out partial frames; this increases throughput # Don't send out partial frames; this increases throughput since TCP frames
# since TCP frames are filled up before being sent out. # are filled up before being sent out.
# Default: off # Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on; tcp_nopush on;
@ -143,7 +143,7 @@ http {
} }
# Include files in the conf.d folder. # Include files in the conf.d folder.
# server{} configuration files should be placed in the conf.d folder. # `server` configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot. # The configurations should be disabled by prefixing files with a dot.
include conf.d/*.conf; include conf.d/*.conf;