gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Switch from location directives to maps based on MIME-types 

* Expire
* X-XSS-Protection
* X-Frame-Options
* X-UA-Compatible
* Content-Security-Policy
* Access-Control-Allow-Origin
This commit is contained in:
Léo Colombaro 2019-02-10 20:46:58 +01:00
parent 2d135053cb
commit 6dd4cc27ed
11 changed files with 148 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
h5bp/basic.conf
View File

@ -3,5 +3,3 @@
include h5bp/internet_explorer/x-ua-compatible.conf;
include h5bp/location/security_file_access.conf;
include h5bp/location/web_performance_cache_expiration.conf;
include h5bp/location/cross-origin_web_fonts.conf;

2
h5bp/cross-origin/requests.conf
View File

@ -16,4 +16,4 @@
# Allow access based on [sub]domain:
# add_header Access-Control-Allow-Origin "subdomain.example.com";
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Allow-Origin $cors;

2
h5bp/internet_explorer/x-ua-compatible.conf
View File

@ -16,4 +16,4 @@
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
# https://msdn.microsoft.com/en-us/library/ff955275.aspx
add_header X-UA-Compatible "IE=Edge";
add_header X-UA-Compatible $x_ua_compatible;

18
h5bp/location/cross-origin_images.conf
View File

@ -1,18 +0,0 @@
# ----------------------------------------------------------------------
# | Cross-origin images |
# ----------------------------------------------------------------------
# Send the CORS header for images when browsers request it.
#
# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
location ~* \.(?:bmp|cur|gif|ico|jpe?g|png|svgz?|webp?)$ {
include h5bp/cross-origin/requests.conf;
# Also, set cache rules for images.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
access_log off;
expires 1M;
}

19
h5bp/location/cross-origin_web_fonts.conf
View File

@ -1,19 +0,0 @@
# ----------------------------------------------------------------------
# | Cross-origin web fonts |
# ----------------------------------------------------------------------
# Allow cross-origin access to web fonts.
#
# https://developers.google.com/fonts/docs/troubleshooting
location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
include h5bp/cross-origin/requests.conf;
# Also, set cache rules for web fonts.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#location
# https://github.com/h5bp/server-configs/issues/85
# https://github.com/h5bp/server-configs/issues/86
access_log off;
expires 1M;
}

57
h5bp/location/web_performance_cache_expiration.conf
View File

@ -1,57 +0,0 @@
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A consequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static
# Documents
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires 0;
}
# Feeds
location ~* \.(?:rss|atom)$ {
expires 1h;
}
# Media files
location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
access_log off;
expires 1M;
}
# Media: svgz files are already compressed.
location ~* \.svgz$ {
access_log off;
gzip off;
expires 1M;
}
# CSS and JavaScript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
}
# Web fonts
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
# location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
# expires 1M;
# access_log off;
# }

2
h5bp/security/content-security-policy.conf
View File

@ -20,4 +20,4 @@
# https://content-security-policy.com/
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
add_header Content-Security-Policy "script-src 'self'; object-src 'self'" always;
add_header Content-Security-Policy $content_security_policy always;

2
h5bp/security/x-frame-options.conf
View File

@ -33,4 +33,4 @@
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
# https://www.owasp.org/index.php/Clickjacking
add_header X-Frame-Options DENY always;
add_header X-Frame-Options $x_frame_options always;

3
h5bp/security/x-xss-protection.conf
View File

@ -35,5 +35,4 @@
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
# (1) (2)
add_header X-XSS-Protection "1; mode=block" always;
add_header X-XSS-Protection $x_xss_protection always;

88
h5bp/web_performance/cache_expiration.conf Normal file
View File

@ -0,0 +1,88 @@
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
map $sent_http_content_type $expires {
default 1M;
# CSS
text/css 1y;
# Data interchange
application/atom+xml 1h;
application/rdf+xml 1h;
application/rss+xml 1h;
application/json 0;
application/ld+json 0;
application/schema+json 0;
application/geo+json 0;
application/xml 0;
text/calendar 0;
text/xml 0;
# Favicon (cannot be renamed!) and cursor images
image/vnd.microsoft.icon 1w;
image/x-icon 1w;
# HTML
text/html 0;
# JavaScript
application/javascript 1y;
application/x-javascript 1y;
text/javascript 1y;
# Manifest files
application/manifest+json 1w;
application/x-web-app-manifest+json 0;
text/cache-manifest 0;
# Markdown
text/markdown 0;
# Media files
audio/ogg 1M;
image/bmp 1M;
image/gif 1M;
image/jpeg 1M;
image/png 1M;
image/svg+xml 1M;
image/webp 1M;
video/mp4 1M;
video/ogg 1M;
video/webm 1M;
# WebAssembly
application/wasm 1y;
# Web fonts
font/collection 1M;
application/vnd.ms-fontobject 1M;
font/eot 1M;
font/opentype 1M;
font/otf 1M;
application/x-font-ttf 1M;
font/ttf 1M;
application/font-woff 1M;
application/x-font-woff 1M;
font/woff 1M;
application/font-woff2 1M;
font/woff2 1M;
# Other
text/x-cross-domain-policy 1w;
}
expires $expires;

55
nginx.conf
View File

@ -93,6 +93,61 @@ http {
# Enable gzip compression.
include h5bp/web_performance/compression.conf;
# Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf;
# Add X-XSS-Protection for HTML documents.
# h5bp/security/x-xss-protection.conf
map $sent_http_content_type $x_xss_protection {
# (1) (2)
text/html "1; mode=block";
}
# Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options {
text/html DENY;
}
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
text/html "script-src 'self'; object-src 'self'";
}
# Add X-UA-Compatible for HTML documents.
# h5bp/internet_explorer/x-ua-compatible.conf
map $sent_http_content_type $x_ua_compatible {
text/html "IE=edge";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {
# Images
image/bmp "*";
image/gif "*";
image/jpeg "*";
image/png "*";
image/svg+xml "*";
image/webp "*";
image/x-icon "*";
# Web fonts
font/collection "*";
application/vnd.ms-fontobject "*";
font/eot "*";
font/opentype "*";
font/otf "*";
application/x-font-ttf "*";
font/ttf "*";
application/font-woff "*";
application/x-font-woff "*";
font/woff "*";
application/font-woff2 "*";
font/woff2 "*";
}
# Include files in the conf.d folder.
# server{} configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot.