diff options
Diffstat (limited to 'playbooks.d/webserver-nginx/share/snippets.d')
5 files changed, 72 insertions, 0 deletions
diff --git a/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf new file mode 100644 index 0000000..64c9195 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/certbot.conf @@ -0,0 +1,5 @@ +# Certbot endpoint +location /.well-known/acme-challenge { + root /var/www/.acme; + try_files $uri $uri/ =404; +} diff --git a/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf new file mode 100644 index 0000000..bc235bf --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/fcgi.conf @@ -0,0 +1,27 @@ +fastcgi_param QUERY_STRING $query_string; +fastcgi_param REQUEST_METHOD $request_method; +fastcgi_param CONTENT_TYPE $content_type; +fastcgi_param CONTENT_LENGTH $content_length; + +fastcgi_param SCRIPT_NAME $fastcgi_script_name; +fastcgi_param REQUEST_URI $request_uri; +fastcgi_param DOCUMENT_URI $document_uri; +fastcgi_param DOCUMENT_ROOT $document_root; +fastcgi_param SERVER_PROTOCOL $server_protocol; +fastcgi_param REQUEST_SCHEME $scheme; +fastcgi_param HTTPS $https if_not_empty; + +fastcgi_param GATEWAY_INTERFACE CGI/1.1; +fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + +fastcgi_param REMOTE_ADDR $remote_addr; +fastcgi_param REMOTE_PORT $remote_port; +fastcgi_param SERVER_ADDR $server_addr; +fastcgi_param SERVER_PORT $server_port; +fastcgi_param SERVER_NAME $server_name; + +# PHP only, required if PHP was built with --enable-force-cgi-redirect +fastcgi_param REDIRECT_STATUS 200; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +fastcgi_param HTTP_PROXY ""; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/headers.conf b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf new file mode 100644 index 0000000..c277e3d --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/headers.conf @@ -0,0 +1,4 @@ +add_header Content-Security-Policy "default-src 'self'" always; +add_header Referrer-Policy "strict-origin-when-cross-origin" always; +add_header X-Content-Type-Options "nosniff" always; +add_header X-Frame-Options "SAMEORIGIN" always; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf new file mode 100644 index 0000000..68bcdf0 --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/ssl.conf @@ -0,0 +1,16 @@ +# SSL settings +ssl_protocols TLSv1.3 TLSv1.2; + +ssl_buffer_size 4K; +ssl_dhparam /etc/nginx/dhparam.pem; +ssl_ecdh_curve secp521r1:secp384r1; +ssl_prefer_server_ciphers on; +ssl_session_cache shared:le_nginx_SSL:2m; +ssl_session_tickets off; +ssl_session_timeout 1440m; + +# Ciphers +ssl_ciphers 'EECDH+AESGCM:EECDH+AES256:!ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES256-SHA'; + +# Additional headers +add_header Strict-Transport-Security "max-age=63072000" always; diff --git a/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf new file mode 100644 index 0000000..9d67d3d --- /dev/null +++ b/playbooks.d/webserver-nginx/share/snippets.d/uwsgi.conf @@ -0,0 +1,20 @@ + +uwsgi_param QUERY_STRING $query_string; +uwsgi_param REQUEST_METHOD $request_method; +uwsgi_param CONTENT_TYPE $content_type; +uwsgi_param CONTENT_LENGTH $content_length; + +uwsgi_param REQUEST_URI $request_uri; +uwsgi_param PATH_INFO $document_uri; +uwsgi_param DOCUMENT_ROOT $document_root; +uwsgi_param SERVER_PROTOCOL $server_protocol; +uwsgi_param REQUEST_SCHEME $scheme; +uwsgi_param HTTPS $https if_not_empty; + +uwsgi_param REMOTE_ADDR $remote_addr; +uwsgi_param REMOTE_PORT $remote_port; +uwsgi_param SERVER_PORT $server_port; +uwsgi_param SERVER_NAME $server_name; + +# httpoxy mitigation (https://httpoxy.org/ https://www.nginx.com/blog/?p=41962) +uwsgi_param HTTP_PROXY ""; |