gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Switch to `https` when possible

This commit is contained in:
Léo Colombaro 2018-11-23 13:15:44 +01:00
parent b0b3dd87c4
commit e38617e7fb
No known key found for this signature in database
GPG Key ID: 687B480A6D4F735F
11 changed files with 25 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
CONTRIBUTING.md
View File

@ -17,7 +17,7 @@ and [submitting pull requests](#pull-requests), but please respect the following
restrictions: restrictions:
* Please **do not** use the issue tracker for personal support requests (use * Please **do not** use the issue tracker for personal support requests (use
[Stack Overflow](http://stackoverflow.com) or IRC). [Stack Overflow](https://stackoverflow.com) or IRC).
* Please **do not** derail or troll issues. Keep the discussion on topic and * Please **do not** derail or troll issues. Keep the discussion on topic and
respect the opinions of others. respect the opinions of others.
@ -38,7 +38,7 @@ Guidelines for bug reports:
latest `master` or development branch in the repository. latest `master` or development branch in the repository.
3. **Isolate the problem** — ideally create a [reduced test 3. **Isolate the problem** — ideally create a [reduced test
case](http://css-tricks.com/6263-reduced-test-cases/) and a live example. case](https://css-tricks.com/6263-reduced-test-cases/) and a live example.
A good bug report shouldn't leave others needing to chase you up for more A good bug report shouldn't leave others needing to chase you up for more
information. Please try to be as detailed as possible in your report. What is information. Please try to be as detailed as possible in your report. What is
@ -90,7 +90,7 @@ accurate comments, etc.) and any other requirements (such as test coverage).
Adhering to the following this process is the best way to get your work Adhering to the following this process is the best way to get your work
included in the project: included in the project:
1. [Fork](http://help.github.com/fork-a-repo/) the project, clone your fork, 1. [Fork](https://help.github.com/fork-a-repo/) the project, clone your fork,
and configure the remotes: and configure the remotes:
```bash ```bash
@ -117,7 +117,7 @@ included in the project:
``` ```
4. Commit your changes in logical chunks. Please adhere to these [git commit 4. Commit your changes in logical chunks. Please adhere to these [git commit
message guidelines](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) message guidelines](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
or your code is unlikely be merged into the main project. Use Git's or your code is unlikely be merged into the main project. Use Git's
[interactive rebase](https://help.github.com/articles/interactive-rebase) [interactive rebase](https://help.github.com/articles/interactive-rebase)
feature to tidy up your commits before making them public. feature to tidy up your commits before making them public.

2
doc/TOC.md
View File

@ -15,7 +15,7 @@
## Related projects ## Related projects
* [HTML5 Boilerplate](http://html5boilerplate.com) — professional front-end * [HTML5 Boilerplate](https://html5boilerplate.com) — professional front-end
template. template.
* [Server configs](https://github.com/h5bp/server-configs) — Configs for * [Server configs](https://github.com/h5bp/server-configs) — Configs for
other web servers. other web servers.

2
doc/common-problems.md
View File

@ -10,7 +10,7 @@ Depending on the server architecture, it's possible to get the following error:
> could not build the types_hash, you should increase either > could not build the types_hash, you should increase either
> types_hash_max_size: 1024 or types_hash_bucket_size: 32 > types_hash_max_size: 1024 or types_hash_bucket_size: 32
Nginx uses [hash tables](http://nginx.org/en/docs/hash.html) to speed up certain Nginx uses [hash tables](https://nginx.org/en/docs/hash.html) to speed up certain
tasks, usually the default value is sufficient but depending on the actual server tasks, usually the default value is sufficient but depending on the actual server
config this error might be encountered. The solution is to do exactly what the config this error might be encountered. The solution is to do exactly what the
error message suggests, by adding to nginx.conf the following: error message suggests, by adding to nginx.conf the following:

6
doc/examples/hotlink-protection.md
View File

@ -9,7 +9,7 @@ assets.
## valid_referers ## valid_referers
the simplest way to protect assets from hotlinking is to use the simplest way to protect assets from hotlinking is to use
[valid_referers](http://nginx.org/en/docs/http/ngx_http_referer_module.html). [valid_referers](https://nginx.org/en/docs/http/ngx_http_referer_module.html).
It's easy to use, this would be included in a relevant location block: It's easy to use, this would be included in a relevant location block:
valid_referers none blocked example.com *.example.com; valid_referers none blocked example.com *.example.com;
@ -19,7 +19,7 @@ It's easy to use, this would be included in a relevant location block:
## secure_link ## secure_link
The [secure_link module](http://nginx.org/en/docs/http/ngx_http_secure_link_module.html) The [secure_link module](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html)
provides a flexible, more robust means of protecting assets from being hotlinked or provides a flexible, more robust means of protecting assets from being hotlinked or
downloaded outside from outside the web itself. downloaded outside from outside the web itself.
@ -48,7 +48,7 @@ Example nginx config:
This requires implementing server-side logic to generate links of the form: This requires implementing server-side logic to generate links of the form:
http://example.com/protected/url.ext?md5=hash&expires=timestamp https://example.com/protected/url.ext?md5=hash&expires=timestamp
where: where:

6
doc/h5bp.md
View File

@ -69,7 +69,7 @@ header to permit only a finite list of domains to make AJAX requests.
### no-transform.conf ### no-transform.conf
[No transform headers](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5) [No transform headers](https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.9.5)
prevent mobile providers from modifying/optimizing served content. This file prevent mobile providers from modifying/optimizing served content. This file
contains the directive only and should be included only when it is specifically contains the directive only and should be included only when it is specifically
desired for the server response to remain unmodified. desired for the server response to remain unmodified.
@ -83,11 +83,11 @@ This file contains sane-default config for setting up nginx to handle SSL traffi
### ssl-stapling.conf ### ssl-stapling.conf
[OCSP staping](http://en.wikipedia.org/wiki/OCSP_stapling) relates to handling [OCSP staping](https://en.wikipedia.org/wiki/OCSP_stapling) relates to handling
the revocation of SSL certificates, this config file turns on stapling using the revocation of SSL certificates, this config file turns on stapling using
Google's DNS resolver. Google's DNS resolver.
### x-ua-compatible.conf ### x-ua-compatible.conf
This adds a header to force internet explorer to use the highest mode available. This adds a header to force internet explorer to use the highest mode available.
As of [Internet explorer version 11 this is no longer necessary](http://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode). As of [Internet explorer version 11 this is no longer necessary](https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode).

4
doc/how-nginx-works.md
View File

@ -4,13 +4,13 @@
# How Nginx works # How Nginx works
If you're familiar with any other webserver, some aspects of If you're familiar with any other webserver, some aspects of
[the way Nginx works](http://nginx.org/en/docs/http/request_processing.html) [the way Nginx works](https://nginx.org/en/docs/http/request_processing.html)
can cause confusion. This document aims to highlight differences or features can cause confusion. This document aims to highlight differences or features
which may trip up new users. which may trip up new users.
## Nginx will only use one location block ## Nginx will only use one location block
A [location block (directive)](http://nginx.org/en/docs/http/ngx_http_core_module.html#location) A [location block (directive)](https://nginx.org/en/docs/http/ngx_http_core_module.html#location)
defines the behavior for a given request which matches the location url pattern. The block used defines the behavior for a given request which matches the location url pattern. The block used
is whichever is the most specific for the given request, the rules for is whichever is the most specific for the given request, the rules for
precedence can be found in [Nginx's wiki](http://wiki.nginx.org/HttpCoreModule#location). precedence can be found in [Nginx's wiki](http://wiki.nginx.org/HttpCoreModule#location).

14
doc/nginx-conf.md
View File

@ -7,26 +7,26 @@ The `nginx.conf` file is the main config file for nginx, which either defines
or includes the whole configuration for the server. or includes the whole configuration for the server.
When editing or defining an nginx configuration file - take care to note in When editing or defining an nginx configuration file - take care to note in
which [context](http://nginx.org/en/docs/beginners_guide.html#conf_structure) which [context](https://nginx.org/en/docs/beginners_guide.html#conf_structure)
a directive applies. a directive applies.
Below are some notes on a few of the more important/commonly-edited directives. Below are some notes on a few of the more important/commonly-edited directives.
For detailed information on any particular directive, please see For detailed information on any particular directive, please see
[the official documentation](http://nginx.org/en/docs/). [the official documentation](https://nginx.org/en/docs/).
## user ## user
The [user directive](http://nginx.org/en/docs/ngx_core_module.html#user) The [user directive](https://nginx.org/en/docs/ngx_core_module.html#user)
indicates which user the server will run as. This is typically a user indicates which user the server will run as. This is typically a user
specifically for web usage such as "www" "www-data". specifically for web usage such as "www" "www-data".
The webserver user, and file permissions for any application, should be defined/chosen The webserver user, and file permissions for any application, should be defined/chosen
following [the principle of least privilege](http://en.wikipedia.org/wiki/Principle_of_least_privilege) following [the principle of least privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege)
i.e., sufficient privileges to function correctly but no more than that. i.e., sufficient privileges to function correctly but no more than that.
## worker_processes ## worker_processes
The [worker_processes directive](http://nginx.org/en/docs/ngx_core_module.html#worker_processes) The [worker_processes directive](https://nginx.org/en/docs/ngx_core_module.html#worker_processes)
broadly defines the number of connections nginx can process. broadly defines the number of connections nginx can process.
As of version 1.2.5+ and 1.3.8+, nginx supports the value "auto" which will As of version 1.2.5+ and 1.3.8+, nginx supports the value "auto" which will
@ -35,7 +35,7 @@ the number of CPUs is a good default/starting point.
## error_log ## error_log
The [error_log directive](http://nginx.org/en/docs/ngx_core_module.html#error_log) The [error_log directive](https://nginx.org/en/docs/ngx_core_module.html#error_log)
can be defined/overriden in any context. The directive in the main context can be defined/overriden in any context. The directive in the main context
defines the log file to use unless otherwise overriden (at http, server or location defines the log file to use unless otherwise overriden (at http, server or location
level). This must point to a location writable to the webserver user. level). This must point to a location writable to the webserver user.
@ -50,6 +50,6 @@ to where you would like log files to be located. e.g.:
## pid ## pid
The [pid directive](http://nginx.org/en/docs/ngx_core_module.html#pid) is used The [pid directive](https://nginx.org/en/docs/ngx_core_module.html#pid) is used
by nginx to store the process id of the main process. This must point to a writable by nginx to store the process id of the main process. This must point to a writable
location. location.

2
h5bp/directive-only/cross-domain-insecure.conf
View File

@ -1,6 +1,6 @@
# Cross domain AJAX requests # Cross domain AJAX requests
# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header # https://www.w3.org/TR/cors/#access-control-allow-origin-response-header
# **Security Warning** # **Security Warning**
# Do not use this without understanding the consequences. # Do not use this without understanding the consequences.

2
h5bp/directive-only/extra-security.conf
View File

@ -10,7 +10,7 @@ add_header X-Content-Type-Options nosniff always;
# The header instructs IE to enable its inbuilt anti-cross-site scripting filter. # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
add_header X-XSS-Protection "1; mode=block" always; add_header X-XSS-Protection "1; mode=block" always;
# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), # with Content Security Policy (CSP) enabled (and a browser that supports it (https://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow # you can tell the browser that it can only download content from the domains you explicitly allow
# CSP can be quite difficult to configure, and cause real issues if you get it wrong # CSP can be quite difficult to configure, and cause real issues if you get it wrong
# There is website that helps you generate a policy here http://cspisawesome.com/ # There is website that helps you generate a policy here http://cspisawesome.com/

2
h5bp/directive-only/ssl.conf
View File

@ -21,7 +21,7 @@ ssl_session_timeout 24h;
# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
# when a restart is performed the previous key is lost, which resets all previous # when a restart is performed the previous key is lost, which resets all previous
# sessions. The fix for this is to setup a manual rotation mechanism: # sessions. The fix for this is to setup a manual rotation mechanism:
# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx # https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# #
# Note that you'll have to define and rotate the keys securely by yourself. In absence # Note that you'll have to define and rotate the keys securely by yourself. In absence
# of such infrastructure, consider turning off session tickets: # of such infrastructure, consider turning off session tickets:

2
nginx.conf
View File

@ -1,5 +1,5 @@
# Configuration File - Nginx Server Configs # Configuration File - Nginx Server Configs
# http://nginx.org/en/docs/dirindex.html # https://nginx.org/en/docs/dirindex.html
# Run as a unique, less privileged user for security reasons. # Run as a unique, less privileged user for security reasons.
# Default: nobody nobody # Default: nobody nobody