forked from BIAndrews/nginx-compliance-config
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
148 lines (120 loc) · 5.13 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#######################################################################################
#
# Example nginx ~1.10 configurations to pass PCI-DSS, HIPPA, and NIST compliance
#
# Reference platform: CentOS7 + EPEL
#
# Configuration Scanners
#
# * https://www.htbridge.com/ssl
# - A+, PCI-DSS, HIPPA, and NIST compliance
#
# * https://globalsign.ssllabs.com/
# - A+, Cert: 100, Proto: 98, Key: 90, Cipher Str: 90
#
# * https://www.digicert.com/help/
# - All green checks
#
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
# for high performance VM
worker_connections 8096;
multi_accept on;
use epoll;
}
worker_rlimit_nofile 40000;
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
include /etc/nginx/conf.d/*.conf;
proxy_cache_path /var/lib/cache levels=1:2 keys_zone=my_cache:10m max_size=10g inactive=60m use_temp_path=off;
# Enable optional HSTS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# X-Frame-Options Protection
add_header X-Frame-Options "SAMEORIGIN";
# X-XSS-Protection
add_header X-XSS-Protection "1; mode=block";
# X-Content-Type-Options
add_header X-Content-Type-Options nosniff;
# Content-Security-Policy
add_header Content-Security-Policy "default-src 'self' *.google.com *.amazon.com;";
# simply redirects to HTTPS
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
root /usr/share/nginx/html;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
server_tokens off;
# Do not use a standard single crt sent from your CA
#ssl_certificate "/etc/ssl/www.example.com.crt";
# SSL Bundle creation howto: https://gist.github.com/bradmontgomery/6487319
# Example: cat www.example.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt > ssl-bundle.pem
ssl_certificate "/etc/ssl/ssl-bundle.pem";
ssl_certificate_key "/etc/ssl/www.example.com.key";
# Create with: sudo openssl dhparam -dsaparam -out /etc/ssl/dhparam.pem 4096
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1.1 TLSv1.2; # TLSv1.0 prevented for PCI-DSS compliance
ssl_session_cache shared:SSL:60m;
ssl_session_timeout 60m;
# Updated Cipher Suites
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
ssl_prefer_server_ciphers on;
# Enable HSTS
add_header Strict-Transport-Security max-age=15768000;
# OCSP Setup
# To test locally:
# (This test can be positive and a bad ssl_trusted_certificate pem can still break OCSP.)
#
# And look for this:
#
#OCSP response:
#======================================
#OCSP Response Data:
# OCSP Response Status: successful (0x0)
# Response Type: Basic OCSP Response
# Version: 1 (0x0)
#<!-- cut -->
#
ssl_stapling on;
ssl_stapling_verify on;
# Google public DNS servers used in example
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 2s;
# Created with: cat /etc/ssl/ssl-bundle.pem /etc/ssl/www.example.com.externalcaroot > /etc/ssl/ca.trust
ssl_trusted_certificate "/etc/ssl/ca.trust";
# Example of a proxy to an AWS S3 Bucket
#location / {
#proxy_cache my_cache;
#proxy_cache_lock on;
#proxy_cache_valid 202 302 10m;
#proxy_cache_valid 404 1m;
#proxy_pass http://my-bucket-name.s3-website-us-east-1.amazonaws.com/;
#}
include /etc/nginx/default.d/*.conf;
}
}