bjf5201 · February 24, 2025 21:23
diff --git a/hardened_nginx.conf b/hardened_nginx.conf
 # Hardened (secured) nginx.conf
 http {
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;

        #don't send the nginx version number in error pages and Server header
        server_tokens off;

        # config to don't allow the browser to render the page inside an frame or iframe
        # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
        add_header X-Frame-Options DENY;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        gzip on;
        gzip_disable "msie6";
        
        server {
                listen   80;
                return 301 https://$host$request_uri;
        }
        
        server {
                server_name .your-domain.com;
                listen 443 ssl default deferred;

                ssl_certificate     /etc/nginx/ssl/myssl.crt;
                ssl_certificate_key /etc/nginx/ssl/myssl.key;

                # enables server-side protection from BEAST attacks
                # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
                ssl_prefer_server_ciphers on;

                # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

                # ciphers chosen for forward secrecy and compatibility
                # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
                ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE"

                # enable session resumption to improve https performance
                # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
                ssl_session_cache shared:SSL:50m;
                ssl_session_timeout 5m;

                 # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
                # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
                add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

                keepalive_timeout 60;
                root /usr/share/nginx/www;
                index index.html index.htm;

             location / {
             }
        }
 }
	# Hardened (secured) nginx.conf
	http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	#don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	add_header X-Frame-Options DENY;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	gzip on;
	gzip_disable "msie6";

	server {
	listen 80;
	return 301 https://$host$request_uri;
	}

	server {
	server_name .your-domain.com;
	listen 443 ssl default deferred;

	ssl_certificate /etc/nginx/ssl/myssl.crt;
	ssl_certificate_key /etc/nginx/ssl/myssl.key;

	# enables server-side protection from BEAST attacks
	# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
	ssl_prefer_server_ciphers on;

	# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# ciphers chosen for forward secrecy and compatibility
	# http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
	ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE"

	# enable session resumption to improve https performance
	# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
	ssl_session_cache shared:SSL:50m;
	ssl_session_timeout 5m;

	# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
	# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

	keepalive_timeout 60;
	root /usr/share/nginx/www;
	index index.html index.htm;

	location / {
	}
	}
	}