Compare commits

...

5 Commits

Author SHA1 Message Date
Asif Bacchus
19fff14c6b default header buffers for auth tokens 2019-06-03 21:11:03 -06:00
Asif Bacchus
dbb741676d missing semicolon, disable early SSL by default 2019-06-03 21:10:30 -06:00
Asif Bacchus
1900dfa42d organized, change to more common header values 2019-06-03 21:09:33 -06:00
Asif Bacchus
5aafc1ad47 organized, change referrer policy, add edge header 2019-06-03 21:07:17 -06:00
Asif Bacchus
acd7e78108 default timeouts for compatibility 2019-06-03 21:05:37 -06:00
5 changed files with 26 additions and 17 deletions

View File

@ -2,7 +2,7 @@
### NGINX configuration - buffers ### NGINX configuration - buffers
####### #######
client_body_buffer_size 10k; client_body_buffer_size 16k;
client_header_buffer_size 1k; client_header_buffer_size 1k;
client_max_body_size 10M; client_max_body_size 10M;
large_client_header_buffers 2 1k; large_client_header_buffers 4 8k;

View File

@ -15,9 +15,10 @@ ssl_session_tickets off;
# SSL ciphers # SSL ciphers
ssl_protocols TLSv1.2 TLSv1.3; ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256' ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_early_data on; # if your NGINX build supports this and is using TLSv1.3, then enable
#ssl_early_data on;
# Diffie-Hellman parameter for DHE cipher suites, using 4096 bits # Diffie-Hellman parameter for DHE cipher suites, using 4096 bits
ssl_dhparam <path/to/your_dhparam.pem>; ssl_dhparam <path/to/your_dhparam.pem>;

View File

@ -3,10 +3,14 @@
####### #######
proxy_set_header Host $host; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Server $host;
proxy_set_header Early-Data $ssl_early_data; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
# if 'ssl_early_data' enabled in SSL configuration, then uncomment this
#proxy_set_header Early-Data $ssl_early_data;

View File

@ -3,10 +3,14 @@
### (HTTPS specific headers are added in HTTPS configuration) ### (HTTPS specific headers are added in HTTPS configuration)
####### #######
add_header X-Robots-Tag none;
add_header X-Download-Options noopen;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer" always;
add_header Feature-Policy "geolocation 'self'"; add_header Feature-Policy "geolocation 'self'";
add_header Referrer-Policy "strict-origin" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options noopen;
add_header X-Frame-Options DENY;
add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Robots-Tag none;
add_header X-UA-Compatible "IE=edge";
add_header X-XSS-Protection "1; mode=block" always;

View File

@ -2,9 +2,9 @@
### NGINX configurations - timeouts ### NGINX configurations - timeouts
####### #######
client_body_timeout 12; client_body_timeout 60;
client_header_timeout 12; client_header_timeout 60;
keepalive_timeout 15; keepalive_timeout 65;
send_timeout 300; send_timeout 300;
reset_timedout_connection on; reset_timedout_connection on;
proxy_connect_timeout 300s; proxy_connect_timeout 300s;